From freeipa-github-notification at redhat.com Wed Mar 1 04:00:52 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Mar 2017 05:00:52 +0100 Subject: [Freeipa-devel] [freeipa PR#522][opened] dogtag: remove redundant property definition Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Author: frasertweedale Title: #522: dogtag: remove redundant property definition Action: opened PR body: """ The dogtag `ra' backend defines a `ca_host' property, which is also defined (identically) by the `RestClient' class, which recently became a superclass of `ra'. Remove the redundant property definition. Part of: https://pagure.io/freeipa/issue/3473 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/522/head:pr522 git checkout pr522 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-522.patch Type: text/x-diff Size: 1640 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 06:24:45 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Mar 2017 07:24:45 +0100 Subject: [Freeipa-devel] [freeipa PR#523][opened] cert-request: minor refactors Message-ID: URL: https://github.com/freeipa/freeipa/pull/523 Author: frasertweedale Title: #523: cert-request: minor refactors Action: opened PR body: """ A couple of minor refactors done as part of GSS-API work (https://pagure.io/freeipa/issue/5011). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/523/head:pr523 git checkout pr523 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-523.patch Type: text/x-diff Size: 5327 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 06:37:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 07:37:27 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands HonzaCholasta commented: """ No, it's not the right approach. This is an issue in the framework and that's where it needs to be fixed - in the framework - rather than working around the issue in every plugin which hits it. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283257953 From freeipa-github-notification at redhat.com Wed Mar 1 06:48:42 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 07:48:42 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 dkupka commented: """ @stlaz And do we need the fixes going to 0.6.3. for FreeIPA to work properly? Is there any fix that actually affects us planned for 0.6.3? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283259608 From freeipa-github-notification at redhat.com Wed Mar 1 06:51:53 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 07:51:53 +0100 Subject: [Freeipa-devel] [freeipa PR#511][synchronized] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.6.2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/511/head:pr511 git checkout pr511 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-511.patch Type: text/x-diff Size: 811 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 06:53:34 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 07:53:34 +0100 Subject: [Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty HonzaCholasta commented: """ Could we please revert to the original `IPAConfig` implementation rather than wrapping around `api.env`? I know I'm the one who suggested it, but I have given it some thought and I would rather not have to import from `ipalib` into `ipapython` and keep the original behavior intact. """ See the full comment at https://github.com/freeipa/freeipa/pull/515#issuecomment-283260315 From freeipa-github-notification at redhat.com Wed Mar 1 06:54:55 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 07:54:55 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ nsaccountlock is an operational attribute, not a normal one. I don't like it being created all the time. You have to request it explicitly if you want to show status of users, not invent a mechanism to always add it. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283260530 From freeipa-github-notification at redhat.com Wed Mar 1 06:56:32 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 07:56:32 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 dkupka commented: """ @puiterwijk @MartinBasti with the redirection working it's not needed. But I should get used to paste links to pagure. Updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283260762 From freeipa-github-notification at redhat.com Wed Mar 1 06:58:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 07:58:46 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ @dkupka Those fixes should allow us to setup trusts again (more or less). """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283261093 From freeipa-github-notification at redhat.com Wed Mar 1 06:59:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 07:59:40 +0100 Subject: [Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown stlaz commented: """ https://github.com/freeipa/freeipa/pull/518 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/520#issuecomment-283261220 From freeipa-github-notification at redhat.com Wed Mar 1 07:08:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 08:08:07 +0100 Subject: [Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty HonzaCholasta commented: """ Could we please revert to the original `IPAConfig` implementation rather than wrapping around `api.env`? I know I'm the one who suggested it, but I have given it some thought and I would rather not have to import from `ipalib` into `ipapython` and keep the original behavior intact. """ See the full comment at https://github.com/freeipa/freeipa/pull/515#issuecomment-283260315 From freeipa-github-notification at redhat.com Wed Mar 1 07:12:55 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 08:12:55 +0100 Subject: [Freeipa-devel] [freeipa PR#522][edited] dogtag: remove redundant property definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Author: frasertweedale Title: #522: dogtag: remove redundant property definition Action: edited Changed field: body Original value: """ The dogtag `ra' backend defines a `ca_host' property, which is also defined (identically) by the `RestClient' class, which recently became a superclass of `ra'. Remove the redundant property definition. Part of: https://pagure.io/freeipa/issue/3473 """ From freeipa-github-notification at redhat.com Wed Mar 1 07:22:00 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 08:22:00 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 dkupka commented: """ @stlaz Thanks. Then we really rather wait for 0.6.3. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283264733 From freeipa-github-notification at redhat.com Wed Mar 1 07:28:24 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 01 Mar 2017 08:28:24 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @simo5 The command must also be able to return matching entries coming from trusted domains, and SSSD is able to handle this part for us. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283265803 From freeipa-github-notification at redhat.com Wed Mar 1 07:53:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 08:53:42 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Upgrade from 4.4.3 asks for a PKCS#12 file password and then fails: ``` Cleanup : freeipa-server-common-4.4.3-1.fc25.noarch 14/16 Cleanup : freeipa-client-common-4.4.3-1.fc25.noarch 15/16 Cleanup : freeipa-common-4.4.3-1.fc25.noarch 16/16 Enter password for PKCS12 file: Re-enter password: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Verifying : freeipa-client-4.4.90.dev201703010721+git5bb660e-0.fc25.x86_64 1/16 Verifying : freeipa-client-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch 2/16 Verifying : freeipa-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch 3/16 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283270033 From freeipa-github-notification at redhat.com Wed Mar 1 08:03:21 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 09:03:21 +0100 Subject: [Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache dkupka commented: """ The speedup I see is smaller (10-15%) [1] than what you're reporting but that might be caused by the fact that I store the cache on really slow file system (NFS mount). Anyway the changes makes sense, thanks. [1] https://da.gd/7r75A """ See the full comment at https://github.com/freeipa/freeipa/pull/488#issuecomment-283271802 From freeipa-github-notification at redhat.com Wed Mar 1 08:03:34 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 09:03:34 +0100 Subject: [Freeipa-devel] [freeipa PR#488][+ack] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 08:04:17 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 09:04:17 +0100 Subject: [Freeipa-devel] [freeipa PR#467][comment] ipaclient: schema cache: Write all schema files in concurrent-safe way In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/467 Title: #467: ipaclient: schema cache: Write all schema files in concurrent-safe way dkupka commented: """ superseded by #488 """ See the full comment at https://github.com/freeipa/freeipa/pull/467#issuecomment-283271969 From freeipa-github-notification at redhat.com Wed Mar 1 08:04:24 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 09:04:24 +0100 Subject: [Freeipa-devel] [freeipa PR#467][+rejected] ipaclient: schema cache: Write all schema files in concurrent-safe way In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/467 Title: #467: ipaclient: schema cache: Write all schema files in concurrent-safe way Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 1 08:04:32 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 09:04:32 +0100 Subject: [Freeipa-devel] [freeipa PR#467][closed] ipaclient: schema cache: Write all schema files in concurrent-safe way In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/467 Author: dkupka Title: #467: ipaclient: schema cache: Write all schema files in concurrent-safe way Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/467/head:pr467 git checkout pr467 From freeipa-github-notification at redhat.com Wed Mar 1 08:12:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:12:15 +0100 Subject: [Freeipa-devel] [freeipa PR#522][+ack] dogtag: remove redundant property definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Title: #522: dogtag: remove redundant property definition Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 08:18:21 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:18:21 +0100 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 11383 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 08:18:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:18:53 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ @jdennis released python-nss 1.0.1. I removed my workaround. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-283274521 From freeipa-github-notification at redhat.com Wed Mar 1 08:21:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:21:36 +0100 Subject: [Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty tiran commented: """ OK, I'm closing this PR then. @HonzaCholasta, please open another PR and revert 7b966e8. """ See the full comment at https://github.com/freeipa/freeipa/pull/515#issuecomment-283275063 From freeipa-github-notification at redhat.com Wed Mar 1 08:21:38 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:21:38 +0100 Subject: [Freeipa-devel] [freeipa PR#515][closed] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Author: tiran Title: #515: Re-add ipapython.config.config for backwards compatibilty Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/515/head:pr515 git checkout pr515 From freeipa-github-notification at redhat.com Wed Mar 1 08:21:42 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:21:42 +0100 Subject: [Freeipa-devel] [freeipa PR#515][+rejected] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 1 08:22:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 09:22:53 +0100 Subject: [Freeipa-devel] [freeipa PR#521][comment] Add nsaccountlock to user attributes when a new user is created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/521 Title: #521: Add nsaccountlock to user attributes when a new user is created MartinBasti commented: """ It looks that my proposal is not the right way, sorry. (See: #444) """ See the full comment at https://github.com/freeipa/freeipa/pull/521#issuecomment-283275290 From freeipa-github-notification at redhat.com Wed Mar 1 08:23:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 09:23:04 +0100 Subject: [Freeipa-devel] [freeipa PR#521][+rejected] Add nsaccountlock to user attributes when a new user is created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/521 Title: #521: Add nsaccountlock to user attributes when a new user is created Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 1 08:23:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 09:23:06 +0100 Subject: [Freeipa-devel] [freeipa PR#521][closed] Add nsaccountlock to user attributes when a new user is created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/521 Author: redhatrises Title: #521: Add nsaccountlock to user attributes when a new user is created Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/521/head:pr521 git checkout pr521 From freeipa-github-notification at redhat.com Wed Mar 1 08:29:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 09:29:42 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 150465 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 08:31:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 09:31:36 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ This should now be fixed. In my endless naivety I had thought passing no password to `export_pkcs12()` would actually mean no password will be set. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283276979 From freeipa-github-notification at redhat.com Wed Mar 1 08:33:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 09:33:58 +0100 Subject: [Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache tiran commented: """ It looks like your IPA server is about half as fast (26sec / 13sec for 20 pings). In absolute numbers, it's still ~2.5 sec faster. In your case, performance probably dominated by server latency. """ See the full comment at https://github.com/freeipa/freeipa/pull/488#issuecomment-283277455 From freeipa-github-notification at redhat.com Wed Mar 1 08:46:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 09:46:42 +0100 Subject: [Freeipa-devel] [freeipa PR#518][synchronized] README to README.md In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Author: stlaz Title: #518: README to README.md Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/518/head:pr518 git checkout pr518 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-518.patch Type: text/x-diff Size: 7463 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 08:48:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 09:48:29 +0100 Subject: [Freeipa-devel] [freeipa PR#509][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography stlaz commented: """ This is tested by our tests and the code is fine => ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/509#issuecomment-283280320 From freeipa-github-notification at redhat.com Wed Mar 1 08:48:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 09:48:34 +0100 Subject: [Freeipa-devel] [freeipa PR#509][+ack] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography Label: +ack From dkupka at redhat.com Wed Mar 1 08:53:39 2017 From: dkupka at redhat.com (David Kupka) Date: Wed, 1 Mar 2017 09:53:39 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170228124802.krupsj2xa7fo3ewn@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> Message-ID: <20170301085338.GB20545@dkupka.usersys.redhat.com> On Tue, Feb 28, 2017 at 02:48:02PM +0200, Alexander Bokovoy wrote: > On ti, 28 helmi 2017, Martin Babinsky wrote: > > Hello list, > > > > I have put together a draft of design page describing server-side > > implementation of user short name -> fully-qualified name resolution.[1] > > > > In the end I have taken the liberty to change a few aspects of the > > design we have agreed on before and I will be grad if we can discuss > > them further. > > > > Me and Honza have discussed the object that should hold the domain > > resolution order and given the fact that IPA domain can also be a part > > of this list, we have decided that this information is no longer bound > > to trust configuration and should be a part of the global config > > instead. > > > > Also we have purposefully cut down the API only to a raw manipulation of > > the attribute using an option of `ipa config-mod`. The reasons for this > > are twofold: > > > > * the developer resources are quite scarce and it may be good to follow > > YAGNI[2] principle to implement the dumbest API now and not to invest > > into more high-level interface unless there is a demand for it > > > > * we can imagine that the manipulation of the domain resolution order > > is a rare operation (ideally only once all trusts are established), so I > > am not convinced that it is worth investing into designing higher-level > > API > > > > I propose we first develop the "dumber" parts first to unblock the SSSD > > part. If we have spare cycle afterwards then we can design and implement > > more bells-and-whistles afterwards. > Looks mostly OK, but there are few comments I have: > > - I do not see you mention how validation of the > ipaDomainResolutionOrder is done. This is important to avoid hard to > debug issues because SSSD will ignore domains it doesn't know about. > > - Space separator initially caused me to look up DNS RFCs as strictly > speaking domain names can contain any 8-bit octet (while host names > should follow LDH rule). But then [1] does explicitly say space is not > allowed in AD domain names. > > - "If ipaDomainResolutionOrder is empty then *all* users must use fully > qualified names." This is not correct with regards to the current > behavior. I think we should change this to "if > ipaDomainResolutionOrder is empty, then standard SSSD configuration > logic applies on each client." This would make current behavior > compatible with either empty or ipaDomainResolutionOrder value of > a single IPA domain name. Would it make sense to add ipaDomainResolutionOrder attribute during upgrade with the FreeIPA domain and have the behavior as proposed? That would ensure that users will be resolved the same way as before unless someone changes the attribute. > > - There are typos in the page. > > [1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From abokovoy at redhat.com Wed Mar 1 08:57:18 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Mar 2017 10:57:18 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170301085338.GB20545@dkupka.usersys.redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <20170301085338.GB20545@dkupka.usersys.redhat.com> Message-ID: <20170301085718.uxg3rb3inyzdk4aa@redhat.com> On ke, 01 maalis 2017, David Kupka wrote: >On Tue, Feb 28, 2017 at 02:48:02PM +0200, Alexander Bokovoy wrote: >> On ti, 28 helmi 2017, Martin Babinsky wrote: >> > Hello list, >> > >> > I have put together a draft of design page describing server-side >> > implementation of user short name -> fully-qualified name resolution.[1] >> > >> > In the end I have taken the liberty to change a few aspects of the >> > design we have agreed on before and I will be grad if we can discuss >> > them further. >> > >> > Me and Honza have discussed the object that should hold the domain >> > resolution order and given the fact that IPA domain can also be a part >> > of this list, we have decided that this information is no longer bound >> > to trust configuration and should be a part of the global config >> > instead. >> > >> > Also we have purposefully cut down the API only to a raw manipulation of >> > the attribute using an option of `ipa config-mod`. The reasons for this >> > are twofold: >> > >> > * the developer resources are quite scarce and it may be good to follow >> > YAGNI[2] principle to implement the dumbest API now and not to invest >> > into more high-level interface unless there is a demand for it >> > >> > * we can imagine that the manipulation of the domain resolution order >> > is a rare operation (ideally only once all trusts are established), so I >> > am not convinced that it is worth investing into designing higher-level >> > API >> > >> > I propose we first develop the "dumber" parts first to unblock the SSSD >> > part. If we have spare cycle afterwards then we can design and implement >> > more bells-and-whistles afterwards. >> Looks mostly OK, but there are few comments I have: >> >> - I do not see you mention how validation of the >> ipaDomainResolutionOrder is done. This is important to avoid hard to >> debug issues because SSSD will ignore domains it doesn't know about. >> >> - Space separator initially caused me to look up DNS RFCs as strictly >> speaking domain names can contain any 8-bit octet (while host names >> should follow LDH rule). But then [1] does explicitly say space is not >> allowed in AD domain names. >> >> - "If ipaDomainResolutionOrder is empty then *all* users must use fully >> qualified names." This is not correct with regards to the current >> behavior. I think we should change this to "if >> ipaDomainResolutionOrder is empty, then standard SSSD configuration >> logic applies on each client." This would make current behavior >> compatible with either empty or ipaDomainResolutionOrder value of >> a single IPA domain name. > >Would it make sense to add ipaDomainResolutionOrder attribute during upgrade >with the FreeIPA domain and have the behavior as proposed? That would ensure >that users will be resolved the same way as before unless someone changes the >attribute. I'm not sure it changes anything. Newer SSSD still needs to handle cases when talking to servers which has no ipaDomainResolutionOrder attribute so they would treat missing attribute the same way which means we don't need to handle upgrade here. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 1 09:01:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 10:01:24 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ FYI, Custodia 0.3 hasn't been released yet. I'm still doing smoke tests with FreeIPA's secrets service. So far, FreeIPA master and Custodia master work flawlessly. """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-283283004 From freeipa-github-notification at redhat.com Wed Mar 1 09:02:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:02:20 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB MartinBasti commented: """ This is old code, initially added here 49b36583a50e7f542e0667f3e2432ab1aa63924e But I failed to detect why restorecon call has been added for new databases. LGTM, but I want to think more about it, why it was added there and what we can break with this commit """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-283283224 From freeipa-github-notification at redhat.com Wed Mar 1 09:03:03 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 01 Mar 2017 10:03:03 +0100 Subject: [Freeipa-devel] [freeipa PR#520][synchronized] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-520.patch Type: text/x-diff Size: 6705 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 09:07:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:07:13 +0100 Subject: [Freeipa-devel] [freeipa PR#518][+rejected] README to README.md In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Title: #518: README to README.md Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 1 09:07:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:07:42 +0100 Subject: [Freeipa-devel] [freeipa PR#518][comment] README to README.md In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Title: #518: README to README.md stlaz commented: """ Overridden by https://github.com/freeipa/freeipa/pull/520. """ See the full comment at https://github.com/freeipa/freeipa/pull/518#issuecomment-283284401 From freeipa-github-notification at redhat.com Wed Mar 1 09:07:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:07:43 +0100 Subject: [Freeipa-devel] [freeipa PR#518][closed] README to README.md In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Author: stlaz Title: #518: README to README.md Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/518/head:pr518 git checkout pr518 From freeipa-github-notification at redhat.com Wed Mar 1 09:10:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:10:53 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB stlaz commented: """ I don't see how this could break anything given that it's been used like that for ages prior to priv-sep patches. """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-283285115 From freeipa-github-notification at redhat.com Wed Mar 1 09:11:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 10:11:39 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB tiran commented: """ Maybe it was required back then. 7, 8 years is a long time. Nowadays new files are created with correct context: ``` # rm -f /etc/ipa/nssdb/testfile # touch /etc/ipa/nssdb/testfile # ls -laZ /etc/ipa/nssdb/testfile -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 0 Mar 1 09:08 /etc/ipa/nssdb/testfile # restorecon /etc/ipa/nssdb/testfile # ls -laZ /etc/ipa/nssdb/testfile -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 0 Mar 1 09:08 /etc/ipa/nssdb/testfile ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-283285289 From freeipa-github-notification at redhat.com Wed Mar 1 09:12:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:12:04 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB MartinBasti commented: """ Ok, I agree """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-283285379 From freeipa-github-notification at redhat.com Wed Mar 1 09:12:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:12:10 +0100 Subject: [Freeipa-devel] [freeipa PR#513][+ack] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 09:22:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 10:22:59 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ Please clean up the confgure.ac and update freeipa.spec file as well. ``` configure.ac:375: AS_HELP_STRING([--disable-pylint], freeipa.spec.in:16: %global enable_pylint_option --disable-pylint freeipa.spec.in:17: %global without_jslint_option --without-jslint ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283287882 From freeipa-github-notification at redhat.com Wed Mar 1 09:26:18 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:26:18 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ CA-less to CA-ful conversion still fails: ``` 2017-03-01T09:14:40Z DEBUG Starting external process 2017-03-01T09:14:40Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpgj_Ue4 2017-03-01T09:14:40Z DEBUG Process finished, return code=1 2017-03-01T09:14:40Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170301101440.log Loading deployment configuration from /tmp/tmpgj_Ue4. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: Directory '/etc/pki/pki-tomcat' already exists! 2017-03-01T09:14:40Z DEBUG stderr=pkispawn : ERROR ....... Directory '/etc/pki/pki-tomcat' already exists! 2017-03-01T09:14:40Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpgj_Ue4' returned non-zero exit status 1 2017-03-01T09:14:40Z CRITICAL See the installation logs and the following files/directories for more information: 2017-03-01T09:14:40Z CRITICAL /var/log/pki/pki-tomcat 2017-03-01T09:14:40Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 611, in __spawn_instance nolog_list=(self.dm_password, self.admin_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 144, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 391, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2017-03-01T09:14:40Z DEBUG [error] RuntimeError: CA configuration failed. ``` Not sure if it's caused by the PR or not, but either way it can be fixed later. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283288635 From freeipa-github-notification at redhat.com Wed Mar 1 09:27:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:27:18 +0100 Subject: [Freeipa-devel] [freeipa PR#501][comment] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening stlaz commented: """ I agree that C compilation should be hardened for FreeIPA, seeing warnings is nothing unusual here. This builds fine. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/501#issuecomment-283288902 From freeipa-github-notification at redhat.com Wed Mar 1 09:27:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:27:21 +0100 Subject: [Freeipa-devel] [freeipa PR#501][+ack] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 09:29:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:29:37 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ `ipa-replica-install --setup-ca` still fails with the same error though. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283289474 From freeipa-github-notification at redhat.com Wed Mar 1 09:30:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:30:22 +0100 Subject: [Freeipa-devel] [freeipa PR#508][+pushed] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 09:30:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:30:23 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy MartinBasti commented: """ master: * 98e3b14a0477232054b02065c857fb1b16ce85a6 Fix ipa.service unit re. gssproxy """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-283289650 From freeipa-github-notification at redhat.com Wed Mar 1 09:30:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:30:24 +0100 Subject: [Freeipa-devel] [freeipa PR#508][closed] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Author: flo-renaud Title: #508: Fix ipa.service unit re. gssproxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/508/head:pr508 git checkout pr508 From freeipa-github-notification at redhat.com Wed Mar 1 09:30:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 10:30:51 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @HonzaCholasta I saw this issue as well, once you hit it on a VM no `pkispawn` will run correctly. I am not sure if it's caused by this PR, my guess is it shouldn't be as `pkispawn` was not touched at all but I can't be sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283289757 From freeipa-github-notification at redhat.com Wed Mar 1 09:32:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 10:32:59 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ good catch, @tomaskrizek """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283290260 From freeipa-github-notification at redhat.com Wed Mar 1 09:33:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:33:06 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ OK. Let's fix it later. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283290295 From freeipa-github-notification at redhat.com Wed Mar 1 09:33:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:33:23 +0100 Subject: [Freeipa-devel] [freeipa PR#367][+ack] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 09:38:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:38:08 +0100 Subject: [Freeipa-devel] [freeipa PR#367][+pushed] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 09:38:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:38:09 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 https://fedorahosted.org/freeipa/changeset/2a1494c9aef2e2b5c06e427e689787e5a2c4dc7f https://fedorahosted.org/freeipa/changeset/1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3 https://fedorahosted.org/freeipa/changeset/6b074ad833a12acbd4643795b2150fa7f019d6b2 https://fedorahosted.org/freeipa/changeset/0a54fac02cecad3b9e3bf8ad0c8a44df3b701857 https://fedorahosted.org/freeipa/changeset/afea026a5c45ce24f3bf6da499b4d334eea3ca78 https://fedorahosted.org/freeipa/changeset/2a9d1fb7d9dda0299c6f7cd75a715182d15e04df https://fedorahosted.org/freeipa/changeset/76e8d7b35d110e5cf5494898950ab3607799c031 https://fedorahosted.org/freeipa/changeset/595f9b64e31dc9e4f035119e834db7e6cb152dce https://fedorahosted.org/freeipa/changeset/51a2b1372936106ff95d5a45afc813f146653ae4 https://fedorahosted.org/freeipa/changeset/24b134c633390343ba76e4091fa612650976280a https://fedorahosted.org/freeipa/changeset/5ab85b365ae886558b1f077b0d039a0d24bebfa7 """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283291458 From freeipa-github-notification at redhat.com Wed Mar 1 09:38:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 10:38:11 +0100 Subject: [Freeipa-devel] [freeipa PR#367][closed] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From freeipa-github-notification at redhat.com Wed Mar 1 09:38:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:38:27 +0100 Subject: [Freeipa-devel] [freeipa PR#501][comment] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening MartinBasti commented: """ master: * 2828a2b92b89932d66b640e5047161448d522e2e C compilation fixes and hardening """ See the full comment at https://github.com/freeipa/freeipa/pull/501#issuecomment-283291550 From freeipa-github-notification at redhat.com Wed Mar 1 09:38:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:38:28 +0100 Subject: [Freeipa-devel] [freeipa PR#501][+pushed] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 09:38:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 10:38:29 +0100 Subject: [Freeipa-devel] [freeipa PR#501][closed] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Author: tiran Title: #501: C compilation fixes and hardening Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/501/head:pr501 git checkout pr501 From freeipa-github-notification at redhat.com Wed Mar 1 09:43:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 10:43:00 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 4763 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 09:51:22 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 10:51:22 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ May I know why the default was changed without design discussion? IIRC pscacek intentionally enabled it by default. Much better approach would be to print hint at configure time detection that it is optional and can be disabled. Code wise; the change is too complicated (too many nested if condition ...) which does not improve readability of configure.ac """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283294552 From freeipa-github-notification at redhat.com Wed Mar 1 09:57:53 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 10:57:53 +0100 Subject: [Freeipa-devel] [freeipa PR#501][comment] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening lslebodn commented: """ FYI; it is far far away from best practice to modify `CFLAGS` and configure time; unless you test compiler options. Such change should be in makefile `AM_CFLAGS` In the future, try to address comments in PR (#364) rather then ignoring them and then fixing in new PR """ See the full comment at https://github.com/freeipa/freeipa/pull/501#issuecomment-283296048 From freeipa-github-notification at redhat.com Wed Mar 1 10:02:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 11:02:04 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ Please see ticket for reasoning. My solution is the best thing, I could come up with in short time. It's not worth the trouble to burn a lot of time on it. It's write-once code. You are welcome to provide a better solution. I know your autoconf Fu is stronger than mine. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283297001 From freeipa-github-notification at redhat.com Wed Mar 1 10:02:28 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 11:02:28 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-283297105 From freeipa-github-notification at redhat.com Wed Mar 1 10:02:36 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Mar 2017 11:02:36 +0100 Subject: [Freeipa-devel] [freeipa PR#398][+ack] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 10:05:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 11:05:31 +0100 Subject: [Freeipa-devel] [freeipa PR#501][comment] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening tiran commented: """ @lslebodn feel free to open a new PR. This PR and #364 are closed. """ See the full comment at https://github.com/freeipa/freeipa/pull/501#issuecomment-283297846 From freeipa-github-notification at redhat.com Wed Mar 1 10:07:55 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 11:07:55 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ Writing hint together with error is the simplest solution. And still remind developers to install pylint/jslint. e.g. ``` diff --git a/configure.ac b/configure.ac index af41f5e3a..c02dd1fe4 100644 --- a/configure.ac +++ b/configure.ac @@ -384,7 +384,10 @@ if test x$PYLINT != xno; then AC_MSG_CHECKING([for Pylint]) $PYTHON -m pylint --version > /dev/null if test "$?" != "0"; then - AC_MSG_ERROR([cannot find pylint for $PYTHON]) + AC_MSG_ERROR([cannot find pylint for $PYTHON +This feature is optional and aimed for developers. You can skip this check +wich configure time option --disable-pylint + ]) else AC_MSG_RESULT([yes]) fi ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283298387 From freeipa-github-notification at redhat.com Wed Mar 1 10:10:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 11:10:12 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 9485 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 10:12:19 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 11:12:19 +0100 Subject: [Freeipa-devel] [freeipa PR#501][comment] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Title: #501: C compilation fixes and hardening lslebodn commented: """ I know it's closed. It was just a kindly reminder to address obvious problems as part of review process. """ See the full comment at https://github.com/freeipa/freeipa/pull/501#issuecomment-283299475 From freeipa-github-notification at redhat.com Wed Mar 1 10:21:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 11:21:18 +0100 Subject: [Freeipa-devel] [freeipa PR#524][opened] Remove NSPRError exception from platform tasks Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Author: tiran Title: #524: Remove NSPRError exception from platform tasks Action: opened PR body: """ ipalib.x509 no longer raises NSPRError. PyCA cryptography raises ValueError for invalid certs. https://fedorahosted.org/freeipa/ticket/5695 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/524/head:pr524 git checkout pr524 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-524.patch Type: text/x-diff Size: 1914 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 10:34:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 11:34:36 +0100 Subject: [Freeipa-devel] [freeipa PR#525][opened] Remove import nss from test_ldap Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Author: tiran Title: #525: Remove import nss from test_ldap Action: opened PR body: """ test_ldap just imported nss.nss to call nss_init_nodb(). It should be safe to remove the call. Let's see what CI has to say. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/525/head:pr525 git checkout pr525 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-525.patch Type: text/x-diff Size: 1211 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 10:55:27 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 11:55:27 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ Please add explanation to the thumb down """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283309329 From slaznick at redhat.com Wed Mar 1 11:01:23 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 1 Mar 2017 12:01:23 +0100 Subject: [Freeipa-devel] FreeIPA: upgrading from priv-separation to git-master Message-ID: Hello, Please note that https://github.com/freeipa/freeipa/pull/367 was pushed today. What this means for you is that your IPA installations won't work if you had privilege separation patches applied and try to upgrade your instances to current master. This is because privilege separation moved the Dogtag agent certificate but we had to move it as well keeping in mind that users will be upgrading from pre-priv-sep installation to this one. Sorry for the inconvenience, Standa From slaznick at redhat.com Wed Mar 1 11:09:13 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 1 Mar 2017 12:09:13 +0100 Subject: [Freeipa-devel] Certmonger uses different "Subject" representation based on storage Message-ID: Hello, Please note that when you make a request for a certificate to certmonger, it uses different representation of the "Subject" that you provide to it, based on the storage you aim for (LDAP representation when storing to NSS DB, X509 representation when storing to a file). This issue was worked around in https://github.com/freeipa/freeipa/commit/595f9b64e31dc9e4f035119e834db7e6cb152dce for FreeIPA and a ticket was created in Pagure: https://pagure.io/certmonger/issue/62 (you can read more thorough description there). Happy coding, Standa -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Mar 1 11:13:17 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 12:13:17 +0100 Subject: [Freeipa-devel] [freeipa PR#525][+ack] Remove import nss from test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Title: #525: Remove import nss from test_ldap Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 11:13:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 12:13:18 +0100 Subject: [Freeipa-devel] [freeipa PR#525][comment] Remove import nss from test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Title: #525: Remove import nss from test_ldap martbab commented: """ looks like Travis did not mind at all """ See the full comment at https://github.com/freeipa/freeipa/pull/525#issuecomment-283313255 From freeipa-github-notification at redhat.com Wed Mar 1 11:29:55 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 12:29:55 +0100 Subject: [Freeipa-devel] [freeipa PR#448][+pushed] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 11:29:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 12:29:57 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ master: * 10494b1bb34b6ff9c1b810cc0739c761b017202c Tests: Basic coverage with tree root domain """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-283316659 From freeipa-github-notification at redhat.com Wed Mar 1 11:29:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 12:29:58 +0100 Subject: [Freeipa-devel] [freeipa PR#448][closed] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Author: gkaihorodova Title: #448: Tests: Basic coverage with tree root domain Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/448/head:pr448 git checkout pr448 From freeipa-github-notification at redhat.com Wed Mar 1 11:44:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 12:44:29 +0100 Subject: [Freeipa-devel] [freeipa PR#524][comment] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks stlaz commented: """ Indeed, NSPRError is NSS-specific. """ See the full comment at https://github.com/freeipa/freeipa/pull/524#issuecomment-283319397 From freeipa-github-notification at redhat.com Wed Mar 1 11:46:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 12:46:53 +0100 Subject: [Freeipa-devel] [freeipa PR#524][comment] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks stlaz commented: """ Indeed, NSPRError is NSS-specific. """ See the full comment at https://github.com/freeipa/freeipa/pull/524#issuecomment-283319397 From freeipa-github-notification at redhat.com Wed Mar 1 11:47:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:47:18 +0100 Subject: [Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf MartinBasti commented: """ master: * c49320435ddc67210c0d95be273e971ea8ffad6d Define template version in certmap.conf """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-283319889 From freeipa-github-notification at redhat.com Wed Mar 1 11:47:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:47:19 +0100 Subject: [Freeipa-devel] [freeipa PR#412][+pushed] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 11:47:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:47:21 +0100 Subject: [Freeipa-devel] [freeipa PR#412][closed] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Author: flo-renaud Title: #412: Define template version in certmap.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/412/head:pr412 git checkout pr412 From freeipa-github-notification at redhat.com Wed Mar 1 11:51:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:51:09 +0100 Subject: [Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache MartinBasti commented: """ master: * 332dbab1ff09eb719eb9e0a7a90bbf5b6e69ddc9 Speed up client schema cache * 3be696c92f6948ea0ced9784920600b73703e414 Drop in-memory copy of schema zip file """ See the full comment at https://github.com/freeipa/freeipa/pull/488#issuecomment-283320572 From freeipa-github-notification at redhat.com Wed Mar 1 11:51:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:51:11 +0100 Subject: [Freeipa-devel] [freeipa PR#488][+pushed] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 11:51:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:51:12 +0100 Subject: [Freeipa-devel] [freeipa PR#488][closed] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Author: tiran Title: #488: Speed up client schema cache Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/488/head:pr488 git checkout pr488 From freeipa-github-notification at redhat.com Wed Mar 1 11:52:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:52:13 +0100 Subject: [Freeipa-devel] [freeipa PR#509][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography MartinBasti commented: """ master: * d00ae870dda2889545c9d93e82e44526bfd4f431 Migrate OTP import script to python-cryptography * 135d0b5dd111d40632e2cd5be8f5315684b45fc6 Finish port to PyCA cryptography """ See the full comment at https://github.com/freeipa/freeipa/pull/509#issuecomment-283320761 From freeipa-github-notification at redhat.com Wed Mar 1 11:52:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:52:14 +0100 Subject: [Freeipa-devel] [freeipa PR#509][+pushed] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 11:52:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 12:52:15 +0100 Subject: [Freeipa-devel] [freeipa PR#509][closed] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Author: tiran Title: #509: Migrate OTP import script to python-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/509/head:pr509 git checkout pr509 From freeipa-github-notification at redhat.com Wed Mar 1 11:54:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 12:54:16 +0100 Subject: [Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown stlaz commented: """ This makes our build fail (`./makerpms` in project folder). """ See the full comment at https://github.com/freeipa/freeipa/pull/520#issuecomment-283321136 From freeipa-github-notification at redhat.com Wed Mar 1 11:54:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 12:54:52 +0100 Subject: [Freeipa-devel] [freeipa PR#524][comment] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks tiran commented: """ ```CertificateFormatError``` is a custom exception that is only raised by ```ipalib.x509.CertificateFormatError```. The rest of the ```ipalib.x509``` propagates the ValueError from cryptography. """ See the full comment at https://github.com/freeipa/freeipa/pull/524#issuecomment-283321240 From freeipa-github-notification at redhat.com Wed Mar 1 11:56:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 12:56:07 +0100 Subject: [Freeipa-devel] [freeipa PR#526][opened] server install: properly handle PKINIT-related options Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: properly handle PKINIT-related options Action: opened PR body: """ Do not ignore --no-pkinit. If --http-cert-file or --dirsrv-cert-file is specified, require that either --pkinit-cert-file or --no-pkinit is specified as well. This prevents the PKINIT cert from being requested via certmonger in CA-less install. https://pagure.io/freeipa/issue/5678 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/526/head:pr526 git checkout pr526 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-526.patch Type: text/x-diff Size: 3827 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 12:00:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:00:19 +0100 Subject: [Freeipa-devel] [freeipa PR#512][+pushed] test_config: fix fips_mode key in Env In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Title: #512: test_config: fix fips_mode key in Env Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 12:00:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:00:21 +0100 Subject: [Freeipa-devel] [freeipa PR#512][comment] test_config: fix fips_mode key in Env In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Title: #512: test_config: fix fips_mode key in Env MartinBasti commented: """ master: * 770d4cda430803f8e020c57971c4dd8e802dc417 Env __setitem__: replace assert with exception * 5055b34cefd6e3f9b707aed076a49ae97b38aa3c test_config: fix fips_mode key in Env """ See the full comment at https://github.com/freeipa/freeipa/pull/512#issuecomment-283322229 From freeipa-github-notification at redhat.com Wed Mar 1 12:00:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:00:22 +0100 Subject: [Freeipa-devel] [freeipa PR#512][closed] test_config: fix fips_mode key in Env In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Author: tomaskrizek Title: #512: test_config: fix fips_mode key in Env Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/512/head:pr512 git checkout pr512 From freeipa-github-notification at redhat.com Wed Mar 1 12:03:19 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 13:03:19 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ An idea behind the original solution was to always produce PKINIT certificate by certmonger in case of CA-less install to be able to have anonymous PKINIT supported. PKINIT cert should have specific attributes and in many cases they aren't issued by external CAs. However, the certificate is not really needed to be connected to existing CAs. Admins can re-issue PKINIT cert afterwards but at least we can get anonymous PKINIT to wrap 2FA with. So this pull request actually breaks CA-less deployment. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283322805 From freeipa-github-notification at redhat.com Wed Mar 1 12:05:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 13:05:55 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options HonzaCholasta commented: """ In CA-less there is no CA to request the certificate from, so there is a dangling failed certmonger request. This PR removes the broken request and thus fixes CA-less. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283323303 From freeipa-github-notification at redhat.com Wed Mar 1 12:10:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 13:10:08 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options HonzaCholasta commented: """ In CA-less there is no CA to request the certificate from, so there is a dangling failed certmonger request. This PR removes the broken request and thus fixes CA-less. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283323303 From freeipa-github-notification at redhat.com Wed Mar 1 12:20:32 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 13:20:32 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options HonzaCholasta commented: """ This is what you currently get in CA-less install: ``` # getcert list Number of certificates and requests being tracked: 1. Request ID '20170301121440': status: CA_UNREACHABLE ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed to connect to vm-226.abc.idm.lab.eng.brq.redhat.com port 443: Connection refused). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # ls /var/kerberos/krb5kdc/kdc.crt ls: cannot access '/var/kerberos/krb5kdc/kdc.crt': No such file or directory ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283325910 From freeipa-github-notification at redhat.com Wed Mar 1 12:24:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 13:24:56 +0100 Subject: [Freeipa-devel] [freeipa PR#524][synchronized] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Author: tiran Title: #524: Remove NSPRError exception from platform tasks Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/524/head:pr524 git checkout pr524 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-524.patch Type: text/x-diff Size: 2506 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 12:26:25 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 13:26:25 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ No, you are wrong. Certmonger has own local self-signed CA in all installs: # getcert list-cas .... CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit This is what can and should be used for self-signed case for PKINIT. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283327044 From freeipa-github-notification at redhat.com Wed Mar 1 12:28:23 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 13:28:23 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This was, perhaps, missed in the original commit, though. The idea was that in CA-less mode we change request to use Local CA. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283327401 From mbabinsk at redhat.com Wed Mar 1 12:39:04 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Mar 2017 13:39:04 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170228124802.krupsj2xa7fo3ewn@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> Message-ID: Alexander, thank you for your comments. Replies inline: On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: > On ti, 28 helmi 2017, Martin Babinsky wrote: >> Hello list, >> >> I have put together a draft of design page describing server-side >> implementation of user short name -> fully-qualified name resolution.[1] >> >> In the end I have taken the liberty to change a few aspects of the >> design we have agreed on before and I will be grad if we can discuss >> them further. >> >> Me and Honza have discussed the object that should hold the domain >> resolution order and given the fact that IPA domain can also be a part >> of this list, we have decided that this information is no longer bound >> to trust configuration and should be a part of the global config instead. >> >> Also we have purposefully cut down the API only to a raw manipulation >> of the attribute using an option of `ipa config-mod`. The reasons for >> this are twofold: >> >> * the developer resources are quite scarce and it may be good to >> follow YAGNI[2] principle to implement the dumbest API now and not to >> invest into more high-level interface unless there is a demand for it >> >> * we can imagine that the manipulation of the domain resolution order >> is a rare operation (ideally only once all trusts are established), so >> I am not convinced that it is worth investing into designing >> higher-level API >> >> I propose we first develop the "dumber" parts first to unblock the >> SSSD part. If we have spare cycle afterwards then we can design and >> implement more bells-and-whistles afterwards. > Looks mostly OK, but there are few comments I have: > > - I do not see you mention how validation of the > ipaDomainResolutionOrder is done. This is important to avoid hard to > debug issues because SSSD will ignore domains it doesn't know about. > The validation is described in a Design section as follows: """ Finally, any modification of the domain resolution order must ensure that each of the specified domain names corresponds either to that of FreeIPA domain or to one of the trusted AD domains stored in LDAP backend. In the case of trusted domains, the domain must not be marked as disabled. """ Is this sufficient or is a more thorough validation required? Shall I split the whole section into sub-sections for easier navigation? > - Space separator initially caused me to look up DNS RFCs as strictly > speaking domain names can contain any 8-bit octet (while host names > should follow LDH rule). But then [1] does explicitly say space is not > allowed in AD domain names. > I have discussed this with Jan and consulted the same document that you cited, that's why I have arrived to the conclusion to use whitespace as separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain names or should we consider other options to avoid breakage with more exotic domain names? > - "If ipaDomainResolutionOrder is empty then *all* users must use fully > qualified names." This is not correct with regards to the current > behavior. I think we should change this to "if > ipaDomainResolutionOrder is empty, then standard SSSD configuration > logic applies on each client." This would make current behavior > compatible with either empty or ipaDomainResolutionOrder value of > a single IPA domain name. > I have considered a empty attribute value to be a distinct state from the missing attribute and assigned a different semantic meaning to it. The reasoning is as follows: if the attribute is not set, SSSD will not retrieve it and this signals that it should continue operate in usual way. If the attribute is present but is empty, the semantics change slightly as now we consider *no* domains during short name resolution (extension of the missing domain behavior to the case of all domains are missing from list). That is however open to discussion and I think we can even get away from this by letting SSSD guys to decide how to handle this case. > - There are typos in the page. > I know there was not much proofreading involved in this iteration. I have already tried to fix them. > [1] > https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous > > > -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Mar 1 12:42:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:42:25 +0100 Subject: [Freeipa-devel] [freeipa PR#513][+pushed] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 12:42:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:42:27 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB MartinBasti commented: """ master: * a163ad77b3d12f2da2b135de29f594c06190b41a certdb: Don't restore_context() of new NSSDB """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-283329971 From freeipa-github-notification at redhat.com Wed Mar 1 12:42:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:42:28 +0100 Subject: [Freeipa-devel] [freeipa PR#513][closed] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Author: tiran Title: #513: certdb: Don't restore_context() of new NSSDB Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/513/head:pr513 git checkout pr513 From freeipa-github-notification at redhat.com Wed Mar 1 12:45:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:45:17 +0100 Subject: [Freeipa-devel] [freeipa PR#514][+pushed] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Title: #514: Limit sessions to 30 minutes by default Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 12:45:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:45:18 +0100 Subject: [Freeipa-devel] [freeipa PR#514][comment] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Title: #514: Limit sessions to 30 minutes by default MartinBasti commented: """ master: * d5e7a57e5b25b9cecb7a65096487a65374ad860d Limit sessions to 30 minutes by default """ See the full comment at https://github.com/freeipa/freeipa/pull/514#issuecomment-283330549 From freeipa-github-notification at redhat.com Wed Mar 1 12:45:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:45:19 +0100 Subject: [Freeipa-devel] [freeipa PR#514][closed] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Author: simo5 Title: #514: Limit sessions to 30 minutes by default Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/514/head:pr514 git checkout pr514 From freeipa-github-notification at redhat.com Wed Mar 1 12:47:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 13:47:37 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 7010 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 12:50:45 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 13:50:45 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options HonzaCholasta commented: """ In CA-less mode one has to provide all the certs manually. I don't see why the KDC cert should be an exception and why we should reinvent the wheel for it. You can't use the local CA anyway, because it's not trusted by IPA. Even if you made it trusted on the local system, it would not be trusted globally - to do that you would have to either make every local CA on every server trusted globally, which does not scale well and would most likely cause more issues than solve, or provide a mechanism to synchronize the CA's private key between servers, which is non-trivial and out of the scope of the PKINIT effort. If you think it is a good idea to support the local CA in addition to Dogtag, please file a RFE. Meanwhile, this PR fixes an obvious bug without implemeting any additional features. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283331589 From freeipa-github-notification at redhat.com Wed Mar 1 12:52:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 13:52:40 +0100 Subject: [Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown stlaz commented: """ This patch should fix the build: https://transfer.sh/AgQWD/0001-readme-fixup.patch """ See the full comment at https://github.com/freeipa/freeipa/pull/520#issuecomment-283331951 From freeipa-github-notification at redhat.com Wed Mar 1 12:53:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:53:45 +0100 Subject: [Freeipa-devel] [freeipa PR#522][+pushed] dogtag: remove redundant property definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Title: #522: dogtag: remove redundant property definition Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 12:53:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:53:47 +0100 Subject: [Freeipa-devel] [freeipa PR#522][comment] dogtag: remove redundant property definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Title: #522: dogtag: remove redundant property definition MartinBasti commented: """ master: * 49f87f34be5f04f18a6d916276153e9ef1e5852c dogtag: remove redundant property definition """ See the full comment at https://github.com/freeipa/freeipa/pull/522#issuecomment-283332158 From freeipa-github-notification at redhat.com Wed Mar 1 12:53:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:53:48 +0100 Subject: [Freeipa-devel] [freeipa PR#522][closed] dogtag: remove redundant property definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/522 Author: frasertweedale Title: #522: dogtag: remove redundant property definition Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/522/head:pr522 git checkout pr522 From freeipa-github-notification at redhat.com Wed Mar 1 12:55:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:55:46 +0100 Subject: [Freeipa-devel] [freeipa PR#525][+pushed] Remove import nss from test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Title: #525: Remove import nss from test_ldap Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 12:55:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:55:48 +0100 Subject: [Freeipa-devel] [freeipa PR#525][comment] Remove import nss from test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Title: #525: Remove import nss from test_ldap MartinBasti commented: """ master: * 79c0e6d355c9e7bcc7cacc37faaba8e999d56400 Remove import nss from test_ldap """ See the full comment at https://github.com/freeipa/freeipa/pull/525#issuecomment-283332523 From freeipa-github-notification at redhat.com Wed Mar 1 12:55:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:55:50 +0100 Subject: [Freeipa-devel] [freeipa PR#525][closed] Remove import nss from test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/525 Author: tiran Title: #525: Remove import nss from test_ldap Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/525/head:pr525 git checkout pr525 From freeipa-github-notification at redhat.com Wed Mar 1 12:57:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 13:57:09 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones MartinBasti commented: """ Please rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-283332782 From jcholast at redhat.com Wed Mar 1 13:04:26 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Mar 2017 14:04:26 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> Message-ID: <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> On 1.3.2017 13:39, Martin Babinsky wrote: > Alexander, > > thank you for your comments. Replies inline: > > On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >> On ti, 28 helmi 2017, Martin Babinsky wrote: >>> Hello list, >>> >>> I have put together a draft of design page describing server-side >>> implementation of user short name -> fully-qualified name resolution.[1] >>> >>> In the end I have taken the liberty to change a few aspects of the >>> design we have agreed on before and I will be grad if we can discuss >>> them further. >>> >>> Me and Honza have discussed the object that should hold the domain >>> resolution order and given the fact that IPA domain can also be a part >>> of this list, we have decided that this information is no longer bound >>> to trust configuration and should be a part of the global config >>> instead. >>> >>> Also we have purposefully cut down the API only to a raw manipulation >>> of the attribute using an option of `ipa config-mod`. The reasons for >>> this are twofold: >>> >>> * the developer resources are quite scarce and it may be good to >>> follow YAGNI[2] principle to implement the dumbest API now and not to >>> invest into more high-level interface unless there is a demand for it >>> >>> * we can imagine that the manipulation of the domain resolution order >>> is a rare operation (ideally only once all trusts are established), so >>> I am not convinced that it is worth investing into designing >>> higher-level API >>> >>> I propose we first develop the "dumber" parts first to unblock the >>> SSSD part. If we have spare cycle afterwards then we can design and >>> implement more bells-and-whistles afterwards. >> Looks mostly OK, but there are few comments I have: >> >> - I do not see you mention how validation of the >> ipaDomainResolutionOrder is done. This is important to avoid hard to >> debug issues because SSSD will ignore domains it doesn't know about. >> > > The validation is described in a Design section as follows: > > """ > Finally, any modification of the domain resolution order must ensure > that each of the specified domain names corresponds either to that of > FreeIPA domain or to one of the trusted AD domains stored in LDAP > backend. In the case of trusted domains, the domain must not be marked > as disabled. > """ > > Is this sufficient or is a more thorough validation required? Shall I > split the whole section into sub-sections for easier navigation? > >> - Space separator initially caused me to look up DNS RFCs as strictly >> speaking domain names can contain any 8-bit octet (while host names >> should follow LDH rule). But then [1] does explicitly say space is not >> allowed in AD domain names. >> > > I have discussed this with Jan and consulted the same document that you > cited, that's why I have arrived to the conclusion to use whitespace as > separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain > names or should we consider other options to avoid breakage with more > exotic domain names? Actually I would prefer something else than whitespace as a separator. A ':' maybe? > >> - "If ipaDomainResolutionOrder is empty then *all* users must use fully >> qualified names." This is not correct with regards to the current >> behavior. I think we should change this to "if >> ipaDomainResolutionOrder is empty, then standard SSSD configuration >> logic applies on each client." This would make current behavior >> compatible with either empty or ipaDomainResolutionOrder value of >> a single IPA domain name. >> > > I have considered a empty attribute value to be a distinct state from > the missing attribute and assigned a different semantic meaning to it. > > The reasoning is as follows: if the attribute is not set, SSSD will not > retrieve it and this signals that it should continue operate in usual way. > > If the attribute is present but is empty, the semantics change slightly > as now we consider *no* domains during short name resolution (extension > of the missing domain behavior to the case of all domains are missing > from list). It doesn't have to be literally empty (LDAP character string syntaxes don't allow it anyway IIRC), there can be a value which denotes an empty list of domain (e.g. the separator alone). > > That is however open to discussion and I think we can even get away from > this by letting SSSD guys to decide how to handle this case. > >> - There are typos in the page. >> > > I know there was not much proofreading involved in this iteration. I > have already tried to fix them. > >> [1] >> https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous >> >> >> >> > > -- Jan Cholasta From abokovoy at redhat.com Wed Mar 1 13:00:35 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Mar 2017 15:00:35 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> Message-ID: <20170301130035.hxmz45pegdoexf5c@redhat.com> On ke, 01 maalis 2017, Martin Babinsky wrote: >Alexander, > >thank you for your comments. Replies inline: > >On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >>On ti, 28 helmi 2017, Martin Babinsky wrote: >>>Hello list, >>> >>>I have put together a draft of design page describing server-side >>>implementation of user short name -> fully-qualified name resolution.[1] >>> >>>In the end I have taken the liberty to change a few aspects of the >>>design we have agreed on before and I will be grad if we can discuss >>>them further. >>> >>>Me and Honza have discussed the object that should hold the domain >>>resolution order and given the fact that IPA domain can also be a part >>>of this list, we have decided that this information is no longer bound >>>to trust configuration and should be a part of the global config instead. >>> >>>Also we have purposefully cut down the API only to a raw manipulation >>>of the attribute using an option of `ipa config-mod`. The reasons for >>>this are twofold: >>> >>> * the developer resources are quite scarce and it may be good to >>>follow YAGNI[2] principle to implement the dumbest API now and not to >>>invest into more high-level interface unless there is a demand for it >>> >>> * we can imagine that the manipulation of the domain resolution order >>>is a rare operation (ideally only once all trusts are established), so >>>I am not convinced that it is worth investing into designing >>>higher-level API >>> >>>I propose we first develop the "dumber" parts first to unblock the >>>SSSD part. If we have spare cycle afterwards then we can design and >>>implement more bells-and-whistles afterwards. >>Looks mostly OK, but there are few comments I have: >> >>- I do not see you mention how validation of the >> ipaDomainResolutionOrder is done. This is important to avoid hard to >> debug issues because SSSD will ignore domains it doesn't know about. >> > >The validation is described in a Design section as follows: > >""" >Finally, any modification of the domain resolution order must ensure >that each of the specified domain names corresponds either to that of >FreeIPA domain or to one of the trusted AD domains stored in LDAP >backend. In the case of trusted domains, the domain must not be marked >as disabled. >""" > >Is this sufficient or is a more thorough validation required? Shall I >split the whole section into sub-sections for easier navigation? I think it would be good to increase visibility by making subsections. However, I'd like to spell it out that trusted forest root domain is also verified on the list. We have trusts structured hierarchically, this means both levels have to be checked. >>- Space separator initially caused me to look up DNS RFCs as strictly >> speaking domain names can contain any 8-bit octet (while host names >> should follow LDH rule). But then [1] does explicitly say space is not >> allowed in AD domain names. >> > >I have discussed this with Jan and consulted the same document that >you cited, that's why I have arrived to the conclusion to use >whitespace as separator. Jakub/Fabiano, is this ok with the way SSSD >decodes domain names or should we consider other options to avoid >breakage with more exotic domain names? > >>- "If ipaDomainResolutionOrder is empty then *all* users must use fully >> qualified names." This is not correct with regards to the current >> behavior. I think we should change this to "if >> ipaDomainResolutionOrder is empty, then standard SSSD configuration >> logic applies on each client." This would make current behavior >> compatible with either empty or ipaDomainResolutionOrder value of >> a single IPA domain name. >> > >I have considered a empty attribute value to be a distinct state from >the missing attribute and assigned a different semantic meaning to it. > >The reasoning is as follows: if the attribute is not set, SSSD will >not retrieve it and this signals that it should continue operate in >usual way. > >If the attribute is present but is empty, the semantics change >slightly as now we consider *no* domains during short name resolution >(extension of the missing domain behavior to the case of all domains >are missing from list). I'd rather avoid making this distinction. You always can override things on SSSD side and default on SSSD side is to *not* use fully qualified domain names for a domain. I don't think we have any use case of having all domains with fully qualified names. Even in case of NFS and sss_rpcidmapd, SSSD will happily handle both non-fully qualified names and fully qualified ones. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 1 13:00:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 14:00:51 +0100 Subject: [Freeipa-devel] [freeipa PR#524][synchronized] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Author: tiran Title: #524: Remove NSPRError exception from platform tasks Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/524/head:pr524 git checkout pr524 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-524.patch Type: text/x-diff Size: 2233 bytes Desc: not available URL: From abokovoy at redhat.com Wed Mar 1 13:05:26 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Mar 2017 15:05:26 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> Message-ID: <20170301130526.66tvuj5tceiyd4r6@redhat.com> On ke, 01 maalis 2017, Jan Cholasta wrote: >On 1.3.2017 13:39, Martin Babinsky wrote: >>Alexander, >> >>thank you for your comments. Replies inline: >> >>On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >>>On ti, 28 helmi 2017, Martin Babinsky wrote: >>>>Hello list, >>>> >>>>I have put together a draft of design page describing server-side >>>>implementation of user short name -> fully-qualified name resolution.[1] >>>> >>>>In the end I have taken the liberty to change a few aspects of the >>>>design we have agreed on before and I will be grad if we can discuss >>>>them further. >>>> >>>>Me and Honza have discussed the object that should hold the domain >>>>resolution order and given the fact that IPA domain can also be a part >>>>of this list, we have decided that this information is no longer bound >>>>to trust configuration and should be a part of the global config >>>>instead. >>>> >>>>Also we have purposefully cut down the API only to a raw manipulation >>>>of the attribute using an option of `ipa config-mod`. The reasons for >>>>this are twofold: >>>> >>>> * the developer resources are quite scarce and it may be good to >>>>follow YAGNI[2] principle to implement the dumbest API now and not to >>>>invest into more high-level interface unless there is a demand for it >>>> >>>> * we can imagine that the manipulation of the domain resolution order >>>>is a rare operation (ideally only once all trusts are established), so >>>>I am not convinced that it is worth investing into designing >>>>higher-level API >>>> >>>>I propose we first develop the "dumber" parts first to unblock the >>>>SSSD part. If we have spare cycle afterwards then we can design and >>>>implement more bells-and-whistles afterwards. >>>Looks mostly OK, but there are few comments I have: >>> >>>- I do not see you mention how validation of the >>> ipaDomainResolutionOrder is done. This is important to avoid hard to >>> debug issues because SSSD will ignore domains it doesn't know about. >>> >> >>The validation is described in a Design section as follows: >> >>""" >>Finally, any modification of the domain resolution order must ensure >>that each of the specified domain names corresponds either to that of >>FreeIPA domain or to one of the trusted AD domains stored in LDAP >>backend. In the case of trusted domains, the domain must not be marked >>as disabled. >>""" >> >>Is this sufficient or is a more thorough validation required? Shall I >>split the whole section into sub-sections for easier navigation? >> >>>- Space separator initially caused me to look up DNS RFCs as strictly >>> speaking domain names can contain any 8-bit octet (while host names >>> should follow LDH rule). But then [1] does explicitly say space is not >>> allowed in AD domain names. >>> >> >>I have discussed this with Jan and consulted the same document that you >>cited, that's why I have arrived to the conclusion to use whitespace as >>separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain >>names or should we consider other options to avoid breakage with more >>exotic domain names? > >Actually I would prefer something else than whitespace as a separator. >A ':' maybe? or ',' or ';'. Any would work. >>I have considered a empty attribute value to be a distinct state from >>the missing attribute and assigned a different semantic meaning to it. >> >>The reasoning is as follows: if the attribute is not set, SSSD will not >>retrieve it and this signals that it should continue operate in usual way. >> >>If the attribute is present but is empty, the semantics change slightly >>as now we consider *no* domains during short name resolution (extension >>of the missing domain behavior to the case of all domains are missing >>from list). > >It doesn't have to be literally empty (LDAP character string syntaxes >don't allow it anyway IIRC), there can be a value which denotes an >empty list of domain (e.g. the separator alone). I don't see *why* there should be this distinction. The deciding party is SSSD. Whether this attirbute exists and empty or does not exist at all does not change anything. Changing how SSSD interprets own defaults depending on absense or emptiness of certain attribute in IPA config object is not user friendly at all. SSSD default behavior should stay the same whether it finds missing or empty attribute because the attribute will not be known to older SSSD anyway. Missing or empty attribute should, in my opinion, be equal to older SSSD behavior. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 1 13:06:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 14:06:09 +0100 Subject: [Freeipa-devel] [freeipa PR#472][+ack] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 13:08:26 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 14:08:26 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ It was explained on IRC > < cheimes> lslebodn: Your proposal is missing the point of the ticket. It doesn't not simplify > building, but rather improves error messages. The whole point of the ticket is a more > pleasant experience for outsiders that are not FreeIPA core contributors. But there is main problem with this PR. The design document expected these option enabled by default. http://www.freeipa.org/page/V4/Build_system_refactoring This is a reason why I mentioned to log just a hint for optional *lint dependencies. And ticket https://pagure.io/freeipa/issue/6604 says that options were made optional a moth ago master: * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283335089 From freeipa-github-notification at redhat.com Wed Mar 1 13:10:07 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 14:10:07 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This PR does not handle upgrade case which is what Local CA considers. We don't need other systems trust the certificate and we don't need to synchronize anything because KDC cert in upgrade case is issued automatically and is used by privilege separation code on the same machine. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283335425 From freeipa-github-notification at redhat.com Wed Mar 1 13:10:26 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 14:10:26 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6241 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 13:11:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 14:11:44 +0100 Subject: [Freeipa-devel] [freeipa PR#527][opened] Fix replica with --setup-ca issues Message-ID: URL: https://github.com/freeipa/freeipa/pull/527 Author: stlaz Title: #527: Fix replica with --setup-ca issues Action: opened PR body: """ nolog argument of ipautil.run requires tuple, not a string. https://fedorahosted.org/freeipa/ticket/5695 I am a bad person. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/527/head:pr527 git checkout pr527 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-527.patch Type: text/x-diff Size: 1656 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 13:15:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 14:15:34 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ @lslebodn We don't want to have linters enabled by default when you run `./configure` without options. But you're right we should update the wiki pages to mention the new defaults. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283336529 From freeipa-github-notification at redhat.com Wed Mar 1 13:16:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 14:16:33 +0100 Subject: [Freeipa-devel] [freeipa PR#502][+ack] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 13:19:35 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 14:19:35 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ > But you're right we should update the wiki pages to mention the new defaults. Such change require broader discussion. e.g. I know that @rcritten had strong opinion about pylint usage in past. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283337442 From freeipa-github-notification at redhat.com Wed Mar 1 13:23:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 14:23:58 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ @tomaskrizek good point, I added a TODO item to the ticket, https://pagure.io/freeipa/issue/6604#comment-415669 """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283338454 From freeipa-github-notification at redhat.com Wed Mar 1 13:33:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 14:33:17 +0100 Subject: [Freeipa-devel] [freeipa PR#527][+ack] Fix replica with --setup-ca issues In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/527 Title: #527: Fix replica with --setup-ca issues Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 13:33:52 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 14:33:52 +0100 Subject: [Freeipa-devel] [freeipa PR#527][+pushed] Fix replica with --setup-ca issues In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/527 Title: #527: Fix replica with --setup-ca issues Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 13:33:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 14:33:54 +0100 Subject: [Freeipa-devel] [freeipa PR#527][comment] Fix replica with --setup-ca issues In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/527 Title: #527: Fix replica with --setup-ca issues HonzaCholasta commented: """ master: * 052de4308c64b126bee440e970be4cf8449c5ebc Fix replica with --setup-ca issues """ See the full comment at https://github.com/freeipa/freeipa/pull/527#issuecomment-283340654 From freeipa-github-notification at redhat.com Wed Mar 1 13:33:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 14:33:55 +0100 Subject: [Freeipa-devel] [freeipa PR#527][closed] Fix replica with --setup-ca issues In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/527 Author: stlaz Title: #527: Fix replica with --setup-ca issues Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/527/head:pr527 git checkout pr527 From jcholast at redhat.com Wed Mar 1 13:41:57 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Mar 2017 14:41:57 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170301130526.66tvuj5tceiyd4r6@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> <20170301130526.66tvuj5tceiyd4r6@redhat.com> Message-ID: On 1.3.2017 14:05, Alexander Bokovoy wrote: > On ke, 01 maalis 2017, Jan Cholasta wrote: >> On 1.3.2017 13:39, Martin Babinsky wrote: >>> Alexander, >>> >>> thank you for your comments. Replies inline: >>> >>> On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >>>> On ti, 28 helmi 2017, Martin Babinsky wrote: >>>>> Hello list, >>>>> >>>>> I have put together a draft of design page describing server-side >>>>> implementation of user short name -> fully-qualified name >>>>> resolution.[1] >>>>> >>>>> In the end I have taken the liberty to change a few aspects of the >>>>> design we have agreed on before and I will be grad if we can discuss >>>>> them further. >>>>> >>>>> Me and Honza have discussed the object that should hold the domain >>>>> resolution order and given the fact that IPA domain can also be a part >>>>> of this list, we have decided that this information is no longer bound >>>>> to trust configuration and should be a part of the global config >>>>> instead. >>>>> >>>>> Also we have purposefully cut down the API only to a raw manipulation >>>>> of the attribute using an option of `ipa config-mod`. The reasons for >>>>> this are twofold: >>>>> >>>>> * the developer resources are quite scarce and it may be good to >>>>> follow YAGNI[2] principle to implement the dumbest API now and not to >>>>> invest into more high-level interface unless there is a demand for it >>>>> >>>>> * we can imagine that the manipulation of the domain resolution order >>>>> is a rare operation (ideally only once all trusts are established), so >>>>> I am not convinced that it is worth investing into designing >>>>> higher-level API >>>>> >>>>> I propose we first develop the "dumber" parts first to unblock the >>>>> SSSD part. If we have spare cycle afterwards then we can design and >>>>> implement more bells-and-whistles afterwards. >>>> Looks mostly OK, but there are few comments I have: >>>> >>>> - I do not see you mention how validation of the >>>> ipaDomainResolutionOrder is done. This is important to avoid hard to >>>> debug issues because SSSD will ignore domains it doesn't know about. >>>> >>> >>> The validation is described in a Design section as follows: >>> >>> """ >>> Finally, any modification of the domain resolution order must ensure >>> that each of the specified domain names corresponds either to that of >>> FreeIPA domain or to one of the trusted AD domains stored in LDAP >>> backend. In the case of trusted domains, the domain must not be marked >>> as disabled. >>> """ >>> >>> Is this sufficient or is a more thorough validation required? Shall I >>> split the whole section into sub-sections for easier navigation? >>> >>>> - Space separator initially caused me to look up DNS RFCs as strictly >>>> speaking domain names can contain any 8-bit octet (while host names >>>> should follow LDH rule). But then [1] does explicitly say space is not >>>> allowed in AD domain names. >>>> >>> >>> I have discussed this with Jan and consulted the same document that you >>> cited, that's why I have arrived to the conclusion to use whitespace as >>> separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain >>> names or should we consider other options to avoid breakage with more >>> exotic domain names? >> >> Actually I would prefer something else than whitespace as a separator. >> A ':' maybe? > or ',' or ';'. Any would work. > >>> I have considered a empty attribute value to be a distinct state from >>> the missing attribute and assigned a different semantic meaning to it. >>> >>> The reasoning is as follows: if the attribute is not set, SSSD will not >>> retrieve it and this signals that it should continue operate in usual >>> way. >>> >>> If the attribute is present but is empty, the semantics change slightly >>> as now we consider *no* domains during short name resolution (extension >>> of the missing domain behavior to the case of all domains are missing >>> from list). >> >> It doesn't have to be literally empty (LDAP character string syntaxes >> don't allow it anyway IIRC), there can be a value which denotes an >> empty list of domain (e.g. the separator alone). > I don't see *why* there should be this distinction. The deciding party > is SSSD. Whether this attirbute exists and empty or does not exist at > all does not change anything. Changing how SSSD interprets own defaults > depending on absense or emptiness of certain attribute in IPA config > object is not user friendly at all. > > SSSD default behavior should stay the same whether it finds missing or > empty attribute because the attribute will not be known to older SSSD > anyway. Missing or empty attribute should, in my opinion, be equal to > older SSSD behavior. > "No value is set in configuration => use built-in default / some value is set configuration => use the value" is perfectly user friendly and pretty much common virtually everywhere I believe, much more so than "empty value is set in configuration => ignore the value even if the user deliberately set it empty and use the default value instead". -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Mar 1 13:39:41 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 14:39:41 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ Wiki page updated (along with `--without-ipatests`` option from #364). @lslebodn Ok, let's keep the PR open for a couple days to see if there's any disagreement. I don't see this as a drastic change that should be widely discussed, but feel free to bring up the topic on `freeipa-devel` if you disagree. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283341902 From freeipa-github-notification at redhat.com Wed Mar 1 13:40:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 14:40:33 +0100 Subject: [Freeipa-devel] [freeipa PR#524][comment] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks stlaz commented: """ The patch seems ok now. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/524#issuecomment-283342093 From freeipa-github-notification at redhat.com Wed Mar 1 13:40:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 14:40:38 +0100 Subject: [Freeipa-devel] [freeipa PR#524][+ack] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 13:46:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 14:46:01 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 9486 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 13:47:36 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 01 Mar 2017 14:47:36 +0100 Subject: [Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-479.patch Type: text/x-diff Size: 48810 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 13:48:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 14:48:26 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional MartinBasti commented: """ Since we have gating here each PR is checked by linters, commits are checked before pushed, that was reason why linters are optional now in build. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283343944 From abokovoy at redhat.com Wed Mar 1 13:58:07 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Mar 2017 15:58:07 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> <20170301130526.66tvuj5tceiyd4r6@redhat.com> Message-ID: <20170301135807.c65u7thxqcfquvn3@redhat.com> On ke, 01 maalis 2017, Jan Cholasta wrote: >On 1.3.2017 14:05, Alexander Bokovoy wrote: >>On ke, 01 maalis 2017, Jan Cholasta wrote: >>>On 1.3.2017 13:39, Martin Babinsky wrote: >>>>Alexander, >>>> >>>>thank you for your comments. Replies inline: >>>> >>>>On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >>>>>On ti, 28 helmi 2017, Martin Babinsky wrote: >>>>>>Hello list, >>>>>> >>>>>>I have put together a draft of design page describing server-side >>>>>>implementation of user short name -> fully-qualified name >>>>>>resolution.[1] >>>>>> >>>>>>In the end I have taken the liberty to change a few aspects of the >>>>>>design we have agreed on before and I will be grad if we can discuss >>>>>>them further. >>>>>> >>>>>>Me and Honza have discussed the object that should hold the domain >>>>>>resolution order and given the fact that IPA domain can also be a part >>>>>>of this list, we have decided that this information is no longer bound >>>>>>to trust configuration and should be a part of the global config >>>>>>instead. >>>>>> >>>>>>Also we have purposefully cut down the API only to a raw manipulation >>>>>>of the attribute using an option of `ipa config-mod`. The reasons for >>>>>>this are twofold: >>>>>> >>>>>>* the developer resources are quite scarce and it may be good to >>>>>>follow YAGNI[2] principle to implement the dumbest API now and not to >>>>>>invest into more high-level interface unless there is a demand for it >>>>>> >>>>>>* we can imagine that the manipulation of the domain resolution order >>>>>>is a rare operation (ideally only once all trusts are established), so >>>>>>I am not convinced that it is worth investing into designing >>>>>>higher-level API >>>>>> >>>>>>I propose we first develop the "dumber" parts first to unblock the >>>>>>SSSD part. If we have spare cycle afterwards then we can design and >>>>>>implement more bells-and-whistles afterwards. >>>>>Looks mostly OK, but there are few comments I have: >>>>> >>>>>- I do not see you mention how validation of the >>>>>ipaDomainResolutionOrder is done. This is important to avoid hard to >>>>>debug issues because SSSD will ignore domains it doesn't know about. >>>>> >>>> >>>>The validation is described in a Design section as follows: >>>> >>>>""" >>>>Finally, any modification of the domain resolution order must ensure >>>>that each of the specified domain names corresponds either to that of >>>>FreeIPA domain or to one of the trusted AD domains stored in LDAP >>>>backend. In the case of trusted domains, the domain must not be marked >>>>as disabled. >>>>""" >>>> >>>>Is this sufficient or is a more thorough validation required? Shall I >>>>split the whole section into sub-sections for easier navigation? >>>> >>>>>- Space separator initially caused me to look up DNS RFCs as strictly >>>>>speaking domain names can contain any 8-bit octet (while host names >>>>>should follow LDH rule). But then [1] does explicitly say space is not >>>>>allowed in AD domain names. >>>>> >>>> >>>>I have discussed this with Jan and consulted the same document that you >>>>cited, that's why I have arrived to the conclusion to use whitespace as >>>>separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain >>>>names or should we consider other options to avoid breakage with more >>>>exotic domain names? >>> >>>Actually I would prefer something else than whitespace as a separator. >>>A ':' maybe? >>or ',' or ';'. Any would work. >> >>>>I have considered a empty attribute value to be a distinct state from >>>>the missing attribute and assigned a different semantic meaning to it. >>>> >>>>The reasoning is as follows: if the attribute is not set, SSSD will not >>>>retrieve it and this signals that it should continue operate in usual >>>>way. >>>> >>>>If the attribute is present but is empty, the semantics change slightly >>>>as now we consider *no* domains during short name resolution (extension >>>>of the missing domain behavior to the case of all domains are missing >>>>from list). >>> >>>It doesn't have to be literally empty (LDAP character string syntaxes >>>don't allow it anyway IIRC), there can be a value which denotes an >>>empty list of domain (e.g. the separator alone). >>I don't see *why* there should be this distinction. The deciding party >>is SSSD. Whether this attirbute exists and empty or does not exist at >>all does not change anything. Changing how SSSD interprets own defaults >>depending on absense or emptiness of certain attribute in IPA config >>object is not user friendly at all. >> >>SSSD default behavior should stay the same whether it finds missing or >>empty attribute because the attribute will not be known to older SSSD >>anyway. Missing or empty attribute should, in my opinion, be equal to >>older SSSD behavior. >> > >"No value is set in configuration => use built-in default / some value >is set configuration => use the value" is perfectly user friendly and >pretty much common virtually everywhere I believe, much more so than >"empty value is set in configuration => ignore the value even if the >user deliberately set it empty and use the default value instead". I'm not arguing with "no value is set in configuration -> use built-in default". I do argue on having empty but present attribute because it does not add anything useful for SSSD to decide on. And as it is not adding anything useful, why there should be such difference at all? This is the only question open I see in this design. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 1 14:32:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 15:32:35 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options HonzaCholasta commented: """ The local CA is in fact not used in CA-less upgrade. This is what you get after upgrade from 4.4.3 to current master: ``` # getcert list Number of certificates and requests being tracked: 1. Request ID '20170301142723': status: CA_UNREACHABLE ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. CA is not configured). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # ls /var/kerberos/krb5kdc/kdc.crt ls: cannot access '/var/kerberos/krb5kdc/kdc.crt': No such file or directory ``` Additionally, there is no mention of using the local CA to issue the cert in CA-less in any of the following designs: * http://www.freeipa.org/page/V4/External_Authentication * http://www.freeipa.org/page/V4/Kerberos_PKINIT In other words, using the local CA is something a) not designed properly b) not implemented at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283355431 From simo at redhat.com Wed Mar 1 14:42:07 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Mar 2017 09:42:07 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> Message-ID: <1488379327.10234.17.camel@redhat.com> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: > Hello list, > > I have put together a draft of design page describing server-side > implementation of user short name -> fully-qualified name resolution.[1] > > In the end I have taken the liberty to change a few aspects of the > design we have agreed on before and I will be grad if we can discuss > them further. > > Me and Honza have discussed the object that should hold the domain > resolution order and given the fact that IPA domain can also be a part > of this list, we have decided that this information is no longer bound > to trust configuration and should be a part of the global config instead. > > Also we have purposefully cut down the API only to a raw manipulation of > the attribute using an option of `ipa config-mod`. The reasons for this > are twofold: > > * the developer resources are quite scarce and it may be good to > follow YAGNI[2] principle to implement the dumbest API now and not to > invest into more high-level interface unless there is a demand for it > > * we can imagine that the manipulation of the domain resolution order > is a rare operation (ideally only once all trusts are established), so I > am not convinced that it is worth investing into designing higher-level API > > I propose we first develop the "dumber" parts first to unblock the SSSD > part. If we have spare cycle afterwards then we can design and implement > more bells-and-whistles afterwards. > > [1] https://www.freeipa.org/page/V4/AD_User_Short_Names > [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it Thank you Martin, this is a good initial proposal. I have a few issues with this design: - It conflates the idea of ordering with the idea of shortening user names - It allows only for one setting for all the machines, no way to treat different groups of machines differently The first one is probably just a matter of using a more specific name for the new attribute, or, perhaps not use a new attribute at all but just use ipaConfigString with an agreed syntax like: ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd The side effect of using ipaConfigString is that we can set this on older servers too, so people do not have to upgrade their servers to use this. Old servers will not have any validation, but that is ok, sssd must be prepared to receive a bad list and deal with it appropriately anyway. The second one is something we *may* address later, and use the setting in cn=ipaConfig as a default, but there are two reasons why I think a setting applicable to just a host group makes sense: - it allows to test the setting on a small set of machines to see if everything works right, this is going to be especially important on existing setups, where people do not want to risk all machines misbehaving at once if something goes wrong. - it allows to migrate machines slowly, in some cases people may need to change local files/application settings on machines if the usernames change, so they may need a controlled roll out before changing a setting globally. This may achieved by adding this setting to an ID View for example, then only hosts in that IDView would get this. Or a new object could be created that has members, the former has the advantage of being already in place and SSSD already downloads that data, the latter allows to target an even smaller set of hosts unrelated to previous ID views settings. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Wed Mar 1 14:43:42 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 1 Mar 2017 15:43:42 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> References: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> Message-ID: On 02/28/2017 12:03 PM, Petr Vobornik wrote: > On 02/28/2017 12:00 PM, Petr Vobornik wrote: >> On 02/27/2017 12:46 PM, Petr Vobornik wrote: >>> Hello list, >>> >>> today and tomorrow a migration of FreeIPA issue tracker[1] and git repo >>> will take place. >>> >>> It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io >>> [3]. >>> >>> During this migration it won't be possible to add new tickets and >>> comments to Trac or Pagure. >>> >>> [1] https://fedorahosted.org/freeipa/ >>> [2] >>> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >>> [3] https://pagure.io/ >>> >>> Thank you for understanding, >> >> Issue tracker and git repo were migrated. They can be used now. >> >> https://pagure.io/freeipa >> >> Additional steps will follow >> - redirection of old URLs to new >> - sync with github >> > > Also we need to setup rights for the repo. > > I've created group 'freeipa'. My proposal is to add all people who had > git commit rights to the group. Set the group to have 'commit' right on > 'freeipa' pagure project.> > Former admins can be added as admins to the project directly. I made everybody with former commit rights admins for now. The reason is that there is a bug that committer doesn't have right to change milestone and edit custom fields. https://pagure.io/pagure/issue/2018 https://pagure.io/pagure/issue/2008 > > Martin2 is working on setting up sync with Git Hub: > - https://pagure.io/fedora-infrastructure/issue/5844 > -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From freeipa-github-notification at redhat.com Wed Mar 1 14:46:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 01 Mar 2017 15:46:45 +0100 Subject: [Freeipa-devel] [freeipa PR#528][opened] Fix CA-less upgrade Message-ID: URL: https://github.com/freeipa/freeipa/pull/528 Author: stlaz Title: #528: Fix CA-less upgrade Action: opened PR body: """ In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it does not make sense to try to create a password file for an NSS database from it (the NSS database does not exist either). https://fedorahosted.org/freeipa/ticket/5695 Thanks @HonzaCholasta for discovering this. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/528/head:pr528 git checkout pr528 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-528.patch Type: text/x-diff Size: 1137 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 14:50:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 15:50:09 +0100 Subject: [Freeipa-devel] [freeipa PR#479][+ack] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones Label: +ack From freeipa-github-notification at redhat.com Wed Mar 1 14:56:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 15:56:30 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones MartinBasti commented: """ master: * 4ba6b968399204aac66d82d917a8cc159e77ad4d Refactor the code checking for missing SIDs * c5bae577597fbababdd25ab3ae6463c490d90a40 only check for netbios name when LDAP backend is connected * 9348cfa996ce450bc88a4b35ee3f3bf52adfff39 Refactor the code searching and presenting missing trust agents * c17215ea3db58c7a5fe6e30b6b38f4f3012e25d2 adtrust.py: Use logging to emit error messages * ef37c42ab9d3530dc78fa4b754cd11c585b69d77 print the installation info only in standalone mode * 289060dd98a3ed8e2a916ed25eaa1824c795e842 check for installed dependencies when *not* in standalone mode * 77857ea77662e005b1a23039e2f9173c0a9b080b Add AD trust installer interface for composite installer * 13b5821fa4d32b5a1cc69a97386853fad44236ec expose AD trust related knobs in composite installers * aa353c5f21bf040579a4aeda6840b56ae93b4309 Merge AD trust configurator into server installer * eee319dba12a6ab7daa06ca0d7d8ac8fc754f961 Merge AD trust configurator into replica installer * f62f0b74855beff8db1ad6a24bf76fa66c3c4771 Fix erroneous short name options in ipa-adtrust-install man page * 23cebe1356bbf84ddfde2a622a795061c4924edf Update server/replica installer man pages * 612ea7f66e102c57c2b213eff99ad8f1c91e59a5 Provide basic integration tests for built-in AD trust installer """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-283362181 From freeipa-github-notification at redhat.com Wed Mar 1 14:56:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 15:56:31 +0100 Subject: [Freeipa-devel] [freeipa PR#479][+pushed] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 14:56:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 15:56:32 +0100 Subject: [Freeipa-devel] [freeipa PR#479][closed] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 From freeipa-github-notification at redhat.com Wed Mar 1 14:59:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 15:59:58 +0100 Subject: [Freeipa-devel] [freeipa PR#524][comment] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks MartinBasti commented: """ master: * 88fd936a761dfce099c4b03529d679256c9860d6 Remove NSPRError exception from platform tasks """ See the full comment at https://github.com/freeipa/freeipa/pull/524#issuecomment-283363193 From freeipa-github-notification at redhat.com Wed Mar 1 15:00:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 16:00:00 +0100 Subject: [Freeipa-devel] [freeipa PR#524][+pushed] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Title: #524: Remove NSPRError exception from platform tasks Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 15:00:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Mar 2017 16:00:01 +0100 Subject: [Freeipa-devel] [freeipa PR#524][closed] Remove NSPRError exception from platform tasks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/524 Author: tiran Title: #524: Remove NSPRError exception from platform tasks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/524/head:pr524 git checkout pr524 From mbabinsk at redhat.com Wed Mar 1 15:17:13 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Mar 2017 16:17:13 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488379327.10234.17.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> Message-ID: On 03/01/2017 03:42 PM, Simo Sorce wrote: > On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: >> Hello list, >> >> I have put together a draft of design page describing server-side >> implementation of user short name -> fully-qualified name resolution.[1] >> >> In the end I have taken the liberty to change a few aspects of the >> design we have agreed on before and I will be grad if we can discuss >> them further. >> >> Me and Honza have discussed the object that should hold the domain >> resolution order and given the fact that IPA domain can also be a part >> of this list, we have decided that this information is no longer bound >> to trust configuration and should be a part of the global config instead. >> >> Also we have purposefully cut down the API only to a raw manipulation of >> the attribute using an option of `ipa config-mod`. The reasons for this >> are twofold: >> >> * the developer resources are quite scarce and it may be good to >> follow YAGNI[2] principle to implement the dumbest API now and not to >> invest into more high-level interface unless there is a demand for it >> >> * we can imagine that the manipulation of the domain resolution order >> is a rare operation (ideally only once all trusts are established), so I >> am not convinced that it is worth investing into designing higher-level API >> >> I propose we first develop the "dumber" parts first to unblock the SSSD >> part. If we have spare cycle afterwards then we can design and implement >> more bells-and-whistles afterwards. >> >> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names >> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it > > Thank you Martin, > this is a good initial proposal. > > I have a few issues with this design: > - It conflates the idea of ordering with the idea of shortening user > names I fail to see where the conflation takes place. The ordered list is stored on the server. The client then uses it to expand short names. I guess I am just missing something. > - It allows only for one setting for all the machines, no way to treat > different groups of machines differently > Yes it was discussed that the setting will be global. I would implement local overrides only when there is a demand for the feature given development time is short. > The first one is probably just a matter of using a more specific name > for the new attribute, or, perhaps not use a new attribute at all but > just use ipaConfigString with an agreed syntax like: > ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd > > The side effect of using ipaConfigString is that we can set this on > older servers too, so people do not have to upgrade their servers to use > this. Old servers will not have any validation, but that is ok, sssd > must be prepared to receive a bad list and deal with it appropriately > anyway. > No more 'ipaConfigString' attribute values, please. Me and everyone else fixing e.g. replication issues can relate to the pain of doing CRUD operations involving them. If the admin wishes old servers to server new clients this information, all he has to do is upgrade a single replica, set the attribute value there and let replication take care of the rest. Yes, the management CLI will not be available on the old masters but that is the case of new features anyway. > > The second one is something we *may* address later, and use the setting > in cn=ipaConfig as a default, but there are two reasons why I think a > setting applicable to just a host group makes sense: > - it allows to test the setting on a small set of machines to see if > everything works right, this is going to be especially important on > existing setups, where people do not want to risk all machines > misbehaving at once if something goes wrong. > - it allows to migrate machines slowly, in some cases people may need to > change local files/application settings on machines if the usernames > change, so they may need a controlled roll out before changing a setting > globally. > > This may achieved by adding this setting to an ID View for example, then > only hosts in that IDView would get this. Or a new object could be > created that has members, the former has the advantage of being already > in place and SSSD already downloads that data, the latter allows to > target an even smaller set of hosts unrelated to previous ID views > settings. > > Simo. > That is an interesting proposal but I am afraid we may not get to implement that during 4.5 development. I can certainly mention the possibility in the design so that we can return to it when a need arises. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Mar 1 15:31:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:31:40 +0100 Subject: [Freeipa-devel] [freeipa PR#528][+ack] Fix CA-less upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/528 Title: #528: Fix CA-less upgrade Label: +ack From simo at redhat.com Wed Mar 1 15:32:21 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Mar 2017 10:32:21 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> Message-ID: <1488382341.10234.26.camel@redhat.com> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: > On 03/01/2017 03:42 PM, Simo Sorce wrote: > > On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: > >> Hello list, > >> > >> I have put together a draft of design page describing server-side > >> implementation of user short name -> fully-qualified name resolution.[1] > >> > >> In the end I have taken the liberty to change a few aspects of the > >> design we have agreed on before and I will be grad if we can discuss > >> them further. > >> > >> Me and Honza have discussed the object that should hold the domain > >> resolution order and given the fact that IPA domain can also be a part > >> of this list, we have decided that this information is no longer bound > >> to trust configuration and should be a part of the global config instead. > >> > >> Also we have purposefully cut down the API only to a raw manipulation of > >> the attribute using an option of `ipa config-mod`. The reasons for this > >> are twofold: > >> > >> * the developer resources are quite scarce and it may be good to > >> follow YAGNI[2] principle to implement the dumbest API now and not to > >> invest into more high-level interface unless there is a demand for it > >> > >> * we can imagine that the manipulation of the domain resolution order > >> is a rare operation (ideally only once all trusts are established), so I > >> am not convinced that it is worth investing into designing higher-level API > >> > >> I propose we first develop the "dumber" parts first to unblock the SSSD > >> part. If we have spare cycle afterwards then we can design and implement > >> more bells-and-whistles afterwards. > >> > >> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names > >> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it > > > > Thank you Martin, > > this is a good initial proposal. > > > > I have a few issues with this design: > > - It conflates the idea of ordering with the idea of shortening user > > names > > I fail to see where the conflation takes place. The ordered list is > stored on the server. The client then uses it to expand short names. I > guess I am just missing something. The attribute is called ipaNTDomainResolutionOrder, nothing in that attribute says anything about making names become short names. If it were ipaNTShortNameDomainResolutionOrder then it would be specific, as it is it seem just to refer to the order in which domain are resolved, but that is somethign we want in order to determine which domains SSSD is going to make use short names too, not just the order in which domains are resolved. I hope this makes it clearer. > > - It allows only for one setting for all the machines, no way to treat > > different groups of machines differently > > > > Yes it was discussed that the setting will be global. I would implement > local overrides only when there is a demand for the feature given > development time is short. Demand is immediate, and it is obvious IMO. > > The first one is probably just a matter of using a more specific name > > for the new attribute, or, perhaps not use a new attribute at all but > > just use ipaConfigString with an agreed syntax like: > > ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd > > > > The side effect of using ipaConfigString is that we can set this on > > older servers too, so people do not have to upgrade their servers to use > > this. Old servers will not have any validation, but that is ok, sssd > > must be prepared to receive a bad list and deal with it appropriately > > anyway. > > > > No more 'ipaConfigString' attribute values, please. Me and everyone else > fixing e.g. replication issues can relate to the pain of doing CRUD > operations involving them. ipaConfigString was devised explicitly so that configuration options could be added without replication issues because the string can be accepted by any server version. So what replication issues are there ? What has CRUD to do with it ? > If the admin wishes old servers to server new clients this information, They do not "wish", this is pretty much what happens all the time ... > all he has to do is upgrade a single replica, set the attribute value > there and let replication take care of the rest. Come on, really ? If you have RHEL6 it is not a matter of "simply" upgrading a single replica, it means upgrade of the whole infrastructure ... > Yes, the management CLI > will not be available on the old masters but that is the case of new > features anyway. I do not think we need any management UI in the short term to be honest, just a way to set a string. That will cut most development time that can be spent instead on dealing with allowing smaller groups of machines to be affected instead. > > The second one is something we *may* address later, and use the setting > > in cn=ipaConfig as a default, but there are two reasons why I think a > > setting applicable to just a host group makes sense: > > - it allows to test the setting on a small set of machines to see if > > everything works right, this is going to be especially important on > > existing setups, where people do not want to risk all machines > > misbehaving at once if something goes wrong. > > - it allows to migrate machines slowly, in some cases people may need to > > change local files/application settings on machines if the usernames > > change, so they may need a controlled roll out before changing a setting > > globally. > > > > This may achieved by adding this setting to an ID View for example, then > > only hosts in that IDView would get this. Or a new object could be > > created that has members, the former has the advantage of being already > > in place and SSSD already downloads that data, the latter allows to > > target an even smaller set of hosts unrelated to previous ID views > > settings. > > > > Simo. > > > > That is an interesting proposal but I am afraid we may not get to > implement that during 4.5 development. I can certainly mention the > possibility in the design so that we can return to it when a need arises. My take is: cut API/UI work, and do the underlying infrastructure work for the widest set of serves/clients possible instead. It is much more important to get the underlying gears done than to add UI candy, that can be delayed. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Wed Mar 1 15:32:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:32:46 +0100 Subject: [Freeipa-devel] [freeipa PR#528][+pushed] Fix CA-less upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/528 Title: #528: Fix CA-less upgrade Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 1 15:32:48 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:32:48 +0100 Subject: [Freeipa-devel] [freeipa PR#528][comment] Fix CA-less upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/528 Title: #528: Fix CA-less upgrade HonzaCholasta commented: """ master: * a7c8077ce8f72eee26e8f5d4362239313ffdae3d Fix CA-less upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/528#issuecomment-283373128 From freeipa-github-notification at redhat.com Wed Mar 1 15:32:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:32:49 +0100 Subject: [Freeipa-devel] [freeipa PR#528][closed] Fix CA-less upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/528 Author: stlaz Title: #528: Fix CA-less upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/528/head:pr528 git checkout pr528 From freeipa-github-notification at redhat.com Wed Mar 1 15:40:45 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:40:45 +0100 Subject: [Freeipa-devel] [freeipa PR#526][synchronized] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: properly handle PKINIT-related options Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/526/head:pr526 git checkout pr526 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-526.patch Type: text/x-diff Size: 5839 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 15:42:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:42:23 +0100 Subject: [Freeipa-devel] [freeipa PR#526][edited] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: properly handle PKINIT-related options Action: edited Changed field: body Original value: """ Do not ignore --no-pkinit. If --http-cert-file or --dirsrv-cert-file is specified, require that either --pkinit-cert-file or --no-pkinit is specified as well. This prevents the PKINIT cert from being requested via certmonger in CA-less install. https://pagure.io/freeipa/issue/5678 """ From freeipa-github-notification at redhat.com Wed Mar 1 15:42:32 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:42:32 +0100 Subject: [Freeipa-devel] [freeipa PR#526][edited] server install: properly handle PKINIT-related options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: properly handle PKINIT-related options Action: edited Changed field: title Original value: """ server install: properly handle PKINIT-related options """ From freeipa-github-notification at redhat.com Wed Mar 1 15:46:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Mar 2017 16:46:54 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less HonzaCholasta commented: """ Updated the PR to also handle CA-less server upgrade. @abbra, I'm not opposed to the idea of using the local CA to issue the KDC cert, but if we agree to use it, we should use it in both CA-less and CA-ful - if the CA does not need to be trusted as you say, using the IPA CA in CA-ful is meaningless and only adds unnecesary complexity. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283377523 From mbabinsk at redhat.com Wed Mar 1 15:47:15 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Mar 2017 16:47:15 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488382341.10234.26.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> Message-ID: On 03/01/2017 04:32 PM, Simo Sorce wrote: > On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: >> On 03/01/2017 03:42 PM, Simo Sorce wrote: >>> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: >>>> Hello list, >>>> >>>> I have put together a draft of design page describing server-side >>>> implementation of user short name -> fully-qualified name resolution.[1] >>>> >>>> In the end I have taken the liberty to change a few aspects of the >>>> design we have agreed on before and I will be grad if we can discuss >>>> them further. >>>> >>>> Me and Honza have discussed the object that should hold the domain >>>> resolution order and given the fact that IPA domain can also be a part >>>> of this list, we have decided that this information is no longer bound >>>> to trust configuration and should be a part of the global config instead. >>>> >>>> Also we have purposefully cut down the API only to a raw manipulation of >>>> the attribute using an option of `ipa config-mod`. The reasons for this >>>> are twofold: >>>> >>>> * the developer resources are quite scarce and it may be good to >>>> follow YAGNI[2] principle to implement the dumbest API now and not to >>>> invest into more high-level interface unless there is a demand for it >>>> >>>> * we can imagine that the manipulation of the domain resolution order >>>> is a rare operation (ideally only once all trusts are established), so I >>>> am not convinced that it is worth investing into designing higher-level API >>>> >>>> I propose we first develop the "dumber" parts first to unblock the SSSD >>>> part. If we have spare cycle afterwards then we can design and implement >>>> more bells-and-whistles afterwards. >>>> >>>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names >>>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it >>> >>> Thank you Martin, >>> this is a good initial proposal. >>> >>> I have a few issues with this design: >>> - It conflates the idea of ordering with the idea of shortening user >>> names >> >> I fail to see where the conflation takes place. The ordered list is >> stored on the server. The client then uses it to expand short names. I >> guess I am just missing something. > > The attribute is called ipaNTDomainResolutionOrder, nothing in that > attribute says anything about making names become short names. > If it were ipaNTShortNameDomainResolutionOrder then it would be > specific, as it is it seem just to refer to the order in which domain > are resolved, but that is somethign we want in order to determine which > domains SSSD is going to make use short names too, not just the order in > which domains are resolved. > I hope this makes it clearer. > >>> - It allows only for one setting for all the machines, no way to treat >>> different groups of machines differently >>> >> >> Yes it was discussed that the setting will be global. I would implement >> local overrides only when there is a demand for the feature given >> development time is short. > > Demand is immediate, and it is obvious IMO. > Such demand was not made clear during previous discussions and was not mentioned by SSSD guys either AFAIK. >>> The first one is probably just a matter of using a more specific name >>> for the new attribute, or, perhaps not use a new attribute at all but >>> just use ipaConfigString with an agreed syntax like: >>> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd >>> >>> The side effect of using ipaConfigString is that we can set this on >>> older servers too, so people do not have to upgrade their servers to use >>> this. Old servers will not have any validation, but that is ok, sssd >>> must be prepared to receive a bad list and deal with it appropriately >>> anyway. >>> >> >> No more 'ipaConfigString' attribute values, please. Me and everyone else >> fixing e.g. replication issues can relate to the pain of doing CRUD >> operations involving them. > > ipaConfigString was devised explicitly so that configuration options > could be added without replication issues because the string can be > accepted by any server version. > So what replication issues are there ? > What has CRUD to do with it ? > Well consider client doing a) retrieve ipaDomainResolutionOrder and split it by delimiter, or b) retrieve values of ipaConfigString, iterate until you find one that starts with "Domains Use Short Name list:", strip off the rest of the value and split it by delimiter. I just feel anything involving 'ipaConfigString' leads to design smell, sorry. Yes it is my personal opinion but I think there are more people sharing it. If not, I am happy to hear counterarguments. >> If the admin wishes old servers to server new clients this information, > > They do not "wish", this is pretty much what happens all the time ... > >> all he has to do is upgrade a single replica, set the attribute value >> there and let replication take care of the rest. > > Come on, really ? > If you have RHEL6 it is not a matter of "simply" upgrading a single > replica, it means upgrade of the whole infrastructure ... > There is plenty of features not available to deplyments with RHEL6 masters, I simply fail to see why this one should be special. >> Yes, the management CLI >> will not be available on the old masters but that is the case of new >> features anyway. > > I do not think we need any management UI in the short term to be honest, > just a way to set a string. > That will cut most development time that can be spent instead on dealing > with allowing smaller groups of machines to be affected instead. > >>> The second one is something we *may* address later, and use the setting >>> in cn=ipaConfig as a default, but there are two reasons why I think a >>> setting applicable to just a host group makes sense: >>> - it allows to test the setting on a small set of machines to see if >>> everything works right, this is going to be especially important on >>> existing setups, where people do not want to risk all machines >>> misbehaving at once if something goes wrong. >>> - it allows to migrate machines slowly, in some cases people may need to >>> change local files/application settings on machines if the usernames >>> change, so they may need a controlled roll out before changing a setting >>> globally. >>> >>> This may achieved by adding this setting to an ID View for example, then >>> only hosts in that IDView would get this. Or a new object could be >>> created that has members, the former has the advantage of being already >>> in place and SSSD already downloads that data, the latter allows to >>> target an even smaller set of hosts unrelated to previous ID views >>> settings. >>> >>> Simo. >>> >> >> That is an interesting proposal but I am afraid we may not get to >> implement that during 4.5 development. I can certainly mention the >> possibility in the design so that we can return to it when a need arises. > > My take is: cut API/UI work, and do the underlying infrastructure work > for the widest set of serves/clients possible instead. > > It is much more important to get the underlying gears done than to add > UI candy, that can be delayed. > > Simo. > I agree, we just have to come to agreement of *which* gears are really necessary. -- Martin^3 Babinsky From simo at redhat.com Wed Mar 1 16:04:52 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Mar 2017 11:04:52 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> Message-ID: <1488384292.10234.35.camel@redhat.com> On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: > On 03/01/2017 04:32 PM, Simo Sorce wrote: > > On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: > >> On 03/01/2017 03:42 PM, Simo Sorce wrote: > >>> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: > >>>> Hello list, > >>>> > >>>> I have put together a draft of design page describing server-side > >>>> implementation of user short name -> fully-qualified name resolution.[1] > >>>> > >>>> In the end I have taken the liberty to change a few aspects of the > >>>> design we have agreed on before and I will be grad if we can discuss > >>>> them further. > >>>> > >>>> Me and Honza have discussed the object that should hold the domain > >>>> resolution order and given the fact that IPA domain can also be a part > >>>> of this list, we have decided that this information is no longer bound > >>>> to trust configuration and should be a part of the global config instead. > >>>> > >>>> Also we have purposefully cut down the API only to a raw manipulation of > >>>> the attribute using an option of `ipa config-mod`. The reasons for this > >>>> are twofold: > >>>> > >>>> * the developer resources are quite scarce and it may be good to > >>>> follow YAGNI[2] principle to implement the dumbest API now and not to > >>>> invest into more high-level interface unless there is a demand for it > >>>> > >>>> * we can imagine that the manipulation of the domain resolution order > >>>> is a rare operation (ideally only once all trusts are established), so I > >>>> am not convinced that it is worth investing into designing higher-level API > >>>> > >>>> I propose we first develop the "dumber" parts first to unblock the SSSD > >>>> part. If we have spare cycle afterwards then we can design and implement > >>>> more bells-and-whistles afterwards. > >>>> > >>>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names > >>>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it > >>> > >>> Thank you Martin, > >>> this is a good initial proposal. > >>> > >>> I have a few issues with this design: > >>> - It conflates the idea of ordering with the idea of shortening user > >>> names > >> > >> I fail to see where the conflation takes place. The ordered list is > >> stored on the server. The client then uses it to expand short names. I > >> guess I am just missing something. > > > > The attribute is called ipaNTDomainResolutionOrder, nothing in that > > attribute says anything about making names become short names. > > If it were ipaNTShortNameDomainResolutionOrder then it would be > > specific, as it is it seem just to refer to the order in which domain > > are resolved, but that is somethign we want in order to determine which > > domains SSSD is going to make use short names too, not just the order in > > which domains are resolved. > > I hope this makes it clearer. > > > >>> - It allows only for one setting for all the machines, no way to treat > >>> different groups of machines differently > >>> > >> > >> Yes it was discussed that the setting will be global. I would implement > >> local overrides only when there is a demand for the feature given > >> development time is short. > > > > Demand is immediate, and it is obvious IMO. > > > > Such demand was not made clear during previous discussions and was not > mentioned by SSSD guys either AFAIK. I guess this is why we do reviews :-) > >>> The first one is probably just a matter of using a more specific name > >>> for the new attribute, or, perhaps not use a new attribute at all but > >>> just use ipaConfigString with an agreed syntax like: > >>> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd > >>> > >>> The side effect of using ipaConfigString is that we can set this on > >>> older servers too, so people do not have to upgrade their servers to use > >>> this. Old servers will not have any validation, but that is ok, sssd > >>> must be prepared to receive a bad list and deal with it appropriately > >>> anyway. > >>> > >> > >> No more 'ipaConfigString' attribute values, please. Me and everyone else > >> fixing e.g. replication issues can relate to the pain of doing CRUD > >> operations involving them. > > > > ipaConfigString was devised explicitly so that configuration options > > could be added without replication issues because the string can be > > accepted by any server version. > > So what replication issues are there ? > > What has CRUD to do with it ? > > > > Well consider client doing a) retrieve ipaDomainResolutionOrder and > split it by delimiter, or b) retrieve values of ipaConfigString, iterate > until you find one that starts with "Domains Use Short Name list:", > strip off the rest of the value and split it by delimiter. I do not see any problem with this. > I just feel anything involving 'ipaConfigString' leads to design smell, > sorry. Yes it is my personal opinion but I think there are more people > sharing it. If not, I am happy to hear counterarguments. I am asking why, can you bring some evidence ? I am all about feelings, they are important, but I want data to make a decision. > >> If the admin wishes old servers to server new clients this information, > > > > They do not "wish", this is pretty much what happens all the time ... > > > >> all he has to do is upgrade a single replica, set the attribute value > >> there and let replication take care of the rest. > > > > Come on, really ? > > If you have RHEL6 it is not a matter of "simply" upgrading a single > > replica, it means upgrade of the whole infrastructure ... > > > > There is plenty of features not available to deplyments with RHEL6 > masters, I simply fail to see why this one should be special. It is not that it is special, my problem with that statement is that you assume that it is easy to upgrade servers. It is not, and decisions based on that assumption end up being very bad decisions for our users. So please do not ever assume that our users can "just upgrade one of their replicas". > >> Yes, the management CLI > >> will not be available on the old masters but that is the case of new > >> features anyway. > > > > I do not think we need any management UI in the short term to be honest, > > just a way to set a string. > > That will cut most development time that can be spent instead on dealing > > with allowing smaller groups of machines to be affected instead. > > > >>> The second one is something we *may* address later, and use the setting > >>> in cn=ipaConfig as a default, but there are two reasons why I think a > >>> setting applicable to just a host group makes sense: > >>> - it allows to test the setting on a small set of machines to see if > >>> everything works right, this is going to be especially important on > >>> existing setups, where people do not want to risk all machines > >>> misbehaving at once if something goes wrong. > >>> - it allows to migrate machines slowly, in some cases people may need to > >>> change local files/application settings on machines if the usernames > >>> change, so they may need a controlled roll out before changing a setting > >>> globally. > >>> > >>> This may achieved by adding this setting to an ID View for example, then > >>> only hosts in that IDView would get this. Or a new object could be > >>> created that has members, the former has the advantage of being already > >>> in place and SSSD already downloads that data, the latter allows to > >>> target an even smaller set of hosts unrelated to previous ID views > >>> settings. > >>> > >>> Simo. > >>> > >> > >> That is an interesting proposal but I am afraid we may not get to > >> implement that during 4.5 development. I can certainly mention the > >> possibility in the design so that we can return to it when a need arises. > > > > My take is: cut API/UI work, and do the underlying infrastructure work > > for the widest set of serves/clients possible instead. > > > > It is much more important to get the underlying gears done than to add > > UI candy, that can be delayed. > > > > Simo. > > > > I agree, we just have to come to agreement of *which* gears are really > necessary. Indeed, but adding attributes to ipaConfig and the ID Views is not hard, it is a matter of extending two objectclasses instead of one ... if we decide that Id Views are a good abstraction point. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Wed Mar 1 16:23:58 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 17:23:58 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less abbra commented: """ ACK for the patch. However, I'm not claiming that CA does not need to be trusted. What I'm saying is that for Anonymous PKINIT's use in privilege separation code we can issue certs using local CA because we can trust local CA on IPA masters. They would be all different local CAs, of course, but this was thought to be a stop-gap until admins can replace local certificates with the proper ones some time after upgrade. Privilege separation code now supports several ways to kinit and falls back to a wrapping with HTTP/ipa.master credentials in case anonymous PKINIT is not available. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283389431 From freeipa-github-notification at redhat.com Wed Mar 1 16:24:09 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 01 Mar 2017 17:24:09 +0100 Subject: [Freeipa-devel] [freeipa PR#526][+ack] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less Label: +ack From abokovoy at redhat.com Wed Mar 1 16:28:57 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Mar 2017 18:28:57 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488384292.10234.35.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> Message-ID: <20170301162857.p5dfawm4co3q3oex@redhat.com> On ke, 01 maalis 2017, Simo Sorce wrote: >> > My take is: cut API/UI work, and do the underlying infrastructure work >> > for the widest set of serves/clients possible instead. >> > >> > It is much more important to get the underlying gears done than to add >> > UI candy, that can be delayed. >> > >> > Simo. >> > >> >> I agree, we just have to come to agreement of *which* gears are really >> necessary. > >Indeed, but adding attributes to ipaConfig and the ID Views is not hard, >it is a matter of extending two objectclasses instead of one ... if we >decide that Id Views are a good abstraction point. Adding the same attribute to ID View and to ipaConfig sounds logical to me. Martin, if you want help with this, I can implement ID View-related parts. SSSD does have code to retrieve ipaConfig already, and it also has support for reading ID View associated with the host. The resulting value wouldn't end up in the same place, though, but this is something to handle on SSSD side. -- / Alexander Bokovoy From mbasti at redhat.com Wed Mar 1 16:29:39 2017 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Mar 2017 17:29:39 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488384292.10234.35.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> Message-ID: On 01.03.2017 17:04, Simo Sorce wrote: > On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: >> On 03/01/2017 04:32 PM, Simo Sorce wrote: >>> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: >>>> On 03/01/2017 03:42 PM, Simo Sorce wrote: >>>>> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: >>>>>> Hello list, >>>>>> >>>>>> I have put together a draft of design page describing server-side >>>>>> implementation of user short name -> fully-qualified name resolution.[1] >>>>>> >>>>>> In the end I have taken the liberty to change a few aspects of the >>>>>> design we have agreed on before and I will be grad if we can discuss >>>>>> them further. >>>>>> >>>>>> Me and Honza have discussed the object that should hold the domain >>>>>> resolution order and given the fact that IPA domain can also be a part >>>>>> of this list, we have decided that this information is no longer bound >>>>>> to trust configuration and should be a part of the global config instead. >>>>>> >>>>>> Also we have purposefully cut down the API only to a raw manipulation of >>>>>> the attribute using an option of `ipa config-mod`. The reasons for this >>>>>> are twofold: >>>>>> >>>>>> * the developer resources are quite scarce and it may be good to >>>>>> follow YAGNI[2] principle to implement the dumbest API now and not to >>>>>> invest into more high-level interface unless there is a demand for it >>>>>> >>>>>> * we can imagine that the manipulation of the domain resolution order >>>>>> is a rare operation (ideally only once all trusts are established), so I >>>>>> am not convinced that it is worth investing into designing higher-level API >>>>>> >>>>>> I propose we first develop the "dumber" parts first to unblock the SSSD >>>>>> part. If we have spare cycle afterwards then we can design and implement >>>>>> more bells-and-whistles afterwards. >>>>>> >>>>>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names >>>>>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it >>>>> Thank you Martin, >>>>> this is a good initial proposal. >>>>> >>>>> I have a few issues with this design: >>>>> - It conflates the idea of ordering with the idea of shortening user >>>>> names >>>> I fail to see where the conflation takes place. The ordered list is >>>> stored on the server. The client then uses it to expand short names. I >>>> guess I am just missing something. >>> The attribute is called ipaNTDomainResolutionOrder, nothing in that >>> attribute says anything about making names become short names. >>> If it were ipaNTShortNameDomainResolutionOrder then it would be >>> specific, as it is it seem just to refer to the order in which domain >>> are resolved, but that is somethign we want in order to determine which >>> domains SSSD is going to make use short names too, not just the order in >>> which domains are resolved. >>> I hope this makes it clearer. >>> >>>>> - It allows only for one setting for all the machines, no way to treat >>>>> different groups of machines differently >>>>> >>>> Yes it was discussed that the setting will be global. I would implement >>>> local overrides only when there is a demand for the feature given >>>> development time is short. >>> Demand is immediate, and it is obvious IMO. >>> >> Such demand was not made clear during previous discussions and was not >> mentioned by SSSD guys either AFAIK. > I guess this is why we do reviews :-) > >>>>> The first one is probably just a matter of using a more specific name >>>>> for the new attribute, or, perhaps not use a new attribute at all but >>>>> just use ipaConfigString with an agreed syntax like: >>>>> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd >>>>> >>>>> The side effect of using ipaConfigString is that we can set this on >>>>> older servers too, so people do not have to upgrade their servers to use >>>>> this. Old servers will not have any validation, but that is ok, sssd >>>>> must be prepared to receive a bad list and deal with it appropriately >>>>> anyway. >>>>> >>>> No more 'ipaConfigString' attribute values, please. Me and everyone else >>>> fixing e.g. replication issues can relate to the pain of doing CRUD >>>> operations involving them. >>> ipaConfigString was devised explicitly so that configuration options >>> could be added without replication issues because the string can be >>> accepted by any server version. >>> So what replication issues are there ? >>> What has CRUD to do with it ? >>> >> Well consider client doing a) retrieve ipaDomainResolutionOrder and >> split it by delimiter, or b) retrieve values of ipaConfigString, iterate >> until you find one that starts with "Domains Use Short Name list:", >> strip off the rest of the value and split it by delimiter. > I do not see any problem with this. I disagree, ipaConfigString evokes that this is IPA configuration, but AFAIK the SSSD is the consumer of data and it is unrelated to configuration of IPA server. If you plan to extend usage of 'ipaDomainResolutionOrder' to more entries than one, then is better to have separate attribute that allows better LDAP searches (debugging, support). Why SSSD instead of downloading the exact attribute content should do a parsing of messy values that can be inside ipaConfigString? Why we suddenly plan to support older servers with a new feature? In past access to new features required to upgrade freeipa, why we should increase complexity of code and ldap searches? Any plugin that involve ipaConfingString must be handled in special way, we basically cannot use framework defaults -> increases bugs, devel time, prone to future regressions. So in future when we implement UI for this we will suffer. ipaConfigString is multivalued attribute, domains basically have to be only one string to keep order (single value attribute) => additional complications on both SSSD side and IPA framework side if somebody set domain order as multiple values instead one. With single valued attribute this is handled by free by LDAP. Even for users is more natural to set string of domains to one attribute instead of adding a new value with a special prefix and list domain to multivalued attribute, the second is more error prone with worse UX. I would like to have clean design, separate attributes for separate features, otherwise we can just create ipaUltimateAtr and put JSON inside. Martin^2 > >> I just feel anything involving 'ipaConfigString' leads to design smell, >> sorry. Yes it is my personal opinion but I think there are more people >> sharing it. If not, I am happy to hear counterarguments. > I am asking why, can you bring some evidence ? > I am all about feelings, they are important, but I want data to make a > decision. > >>>> If the admin wishes old servers to server new clients this information, >>> They do not "wish", this is pretty much what happens all the time ... >>> >>>> all he has to do is upgrade a single replica, set the attribute value >>>> there and let replication take care of the rest. >>> Come on, really ? >>> If you have RHEL6 it is not a matter of "simply" upgrading a single >>> replica, it means upgrade of the whole infrastructure ... >>> >> There is plenty of features not available to deplyments with RHEL6 >> masters, I simply fail to see why this one should be special. > It is not that it is special, my problem with that statement is that you > assume that it is easy to upgrade servers. It is not, and decisions > based on that assumption end up being very bad decisions for our users. > So please do not ever assume that our users can "just upgrade one of > their replicas". > >>>> Yes, the management CLI >>>> will not be available on the old masters but that is the case of new >>>> features anyway. >>> I do not think we need any management UI in the short term to be honest, >>> just a way to set a string. >>> That will cut most development time that can be spent instead on dealing >>> with allowing smaller groups of machines to be affected instead. >>> >>>>> The second one is something we *may* address later, and use the setting >>>>> in cn=ipaConfig as a default, but there are two reasons why I think a >>>>> setting applicable to just a host group makes sense: >>>>> - it allows to test the setting on a small set of machines to see if >>>>> everything works right, this is going to be especially important on >>>>> existing setups, where people do not want to risk all machines >>>>> misbehaving at once if something goes wrong. >>>>> - it allows to migrate machines slowly, in some cases people may need to >>>>> change local files/application settings on machines if the usernames >>>>> change, so they may need a controlled roll out before changing a setting >>>>> globally. >>>>> >>>>> This may achieved by adding this setting to an ID View for example, then >>>>> only hosts in that IDView would get this. Or a new object could be >>>>> created that has members, the former has the advantage of being already >>>>> in place and SSSD already downloads that data, the latter allows to >>>>> target an even smaller set of hosts unrelated to previous ID views >>>>> settings. >>>>> >>>>> Simo. >>>>> >>>> That is an interesting proposal but I am afraid we may not get to >>>> implement that during 4.5 development. I can certainly mention the >>>> possibility in the design so that we can return to it when a need arises. >>> My take is: cut API/UI work, and do the underlying infrastructure work >>> for the widest set of serves/clients possible instead. >>> >>> It is much more important to get the underlying gears done than to add >>> UI candy, that can be delayed. >>> >>> Simo. >>> >> I agree, we just have to come to agreement of *which* gears are really >> necessary. > Indeed, but adding attributes to ipaConfig and the ID Views is not hard, > it is a matter of extending two objectclasses instead of one ... if we > decide that Id Views are a good abstraction point. > > Simo. > From freeipa-github-notification at redhat.com Wed Mar 1 16:40:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 17:40:56 +0100 Subject: [Freeipa-devel] [freeipa PR#529][opened] installer: update time estimates Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Author: tomaskrizek Title: #529: installer: update time estimates Action: opened PR body: """ Time estimates have been updated to be more accurate. Only tasks that are estimated to take longer than 10 seconds have the estimate displayed. https://pagure.io/freeipa/issue/6596 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/529/head:pr529 git checkout pr529 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-529.patch Type: text/x-diff Size: 4889 bytes Desc: not available URL: From simo at redhat.com Wed Mar 1 16:51:26 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Mar 2017 11:51:26 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> Message-ID: <1488387086.10234.41.camel@redhat.com> On Wed, 2017-03-01 at 17:29 +0100, Martin Basti wrote: > > On 01.03.2017 17:04, Simo Sorce wrote: > > On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: > >> On 03/01/2017 04:32 PM, Simo Sorce wrote: > >>> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: > >>>> On 03/01/2017 03:42 PM, Simo Sorce wrote: > >>>>> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: > >>>>>> Hello list, > >>>>>> > >>>>>> I have put together a draft of design page describing server-side > >>>>>> implementation of user short name -> fully-qualified name resolution.[1] > >>>>>> > >>>>>> In the end I have taken the liberty to change a few aspects of the > >>>>>> design we have agreed on before and I will be grad if we can discuss > >>>>>> them further. > >>>>>> > >>>>>> Me and Honza have discussed the object that should hold the domain > >>>>>> resolution order and given the fact that IPA domain can also be a part > >>>>>> of this list, we have decided that this information is no longer bound > >>>>>> to trust configuration and should be a part of the global config instead. > >>>>>> > >>>>>> Also we have purposefully cut down the API only to a raw manipulation of > >>>>>> the attribute using an option of `ipa config-mod`. The reasons for this > >>>>>> are twofold: > >>>>>> > >>>>>> * the developer resources are quite scarce and it may be good to > >>>>>> follow YAGNI[2] principle to implement the dumbest API now and not to > >>>>>> invest into more high-level interface unless there is a demand for it > >>>>>> > >>>>>> * we can imagine that the manipulation of the domain resolution order > >>>>>> is a rare operation (ideally only once all trusts are established), so I > >>>>>> am not convinced that it is worth investing into designing higher-level API > >>>>>> > >>>>>> I propose we first develop the "dumber" parts first to unblock the SSSD > >>>>>> part. If we have spare cycle afterwards then we can design and implement > >>>>>> more bells-and-whistles afterwards. > >>>>>> > >>>>>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names > >>>>>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it > >>>>> Thank you Martin, > >>>>> this is a good initial proposal. > >>>>> > >>>>> I have a few issues with this design: > >>>>> - It conflates the idea of ordering with the idea of shortening user > >>>>> names > >>>> I fail to see where the conflation takes place. The ordered list is > >>>> stored on the server. The client then uses it to expand short names. I > >>>> guess I am just missing something. > >>> The attribute is called ipaNTDomainResolutionOrder, nothing in that > >>> attribute says anything about making names become short names. > >>> If it were ipaNTShortNameDomainResolutionOrder then it would be > >>> specific, as it is it seem just to refer to the order in which domain > >>> are resolved, but that is somethign we want in order to determine which > >>> domains SSSD is going to make use short names too, not just the order in > >>> which domains are resolved. > >>> I hope this makes it clearer. > >>> > >>>>> - It allows only for one setting for all the machines, no way to treat > >>>>> different groups of machines differently > >>>>> > >>>> Yes it was discussed that the setting will be global. I would implement > >>>> local overrides only when there is a demand for the feature given > >>>> development time is short. > >>> Demand is immediate, and it is obvious IMO. > >>> > >> Such demand was not made clear during previous discussions and was not > >> mentioned by SSSD guys either AFAIK. > > I guess this is why we do reviews :-) > > > >>>>> The first one is probably just a matter of using a more specific name > >>>>> for the new attribute, or, perhaps not use a new attribute at all but > >>>>> just use ipaConfigString with an agreed syntax like: > >>>>> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd > >>>>> > >>>>> The side effect of using ipaConfigString is that we can set this on > >>>>> older servers too, so people do not have to upgrade their servers to use > >>>>> this. Old servers will not have any validation, but that is ok, sssd > >>>>> must be prepared to receive a bad list and deal with it appropriately > >>>>> anyway. > >>>>> > >>>> No more 'ipaConfigString' attribute values, please. Me and everyone else > >>>> fixing e.g. replication issues can relate to the pain of doing CRUD > >>>> operations involving them. > >>> ipaConfigString was devised explicitly so that configuration options > >>> could be added without replication issues because the string can be > >>> accepted by any server version. > >>> So what replication issues are there ? > >>> What has CRUD to do with it ? > >>> > >> Well consider client doing a) retrieve ipaDomainResolutionOrder and > >> split it by delimiter, or b) retrieve values of ipaConfigString, iterate > >> until you find one that starts with "Domains Use Short Name list:", > >> strip off the rest of the value and split it by delimiter. > > I do not see any problem with this. > I disagree, > > ipaConfigString evokes that this is IPA configuration, but AFAIK the > SSSD is the consumer of data and it is unrelated to configuration of IPA > server. If you plan to extend usage of 'ipaDomainResolutionOrder' to > more entries than one, then is better to have separate attribute that > allows better LDAP searches (debugging, support). > Why SSSD instead of downloading the exact attribute content should do a > parsing of messy values that can be inside ipaConfigString? > > Why we suddenly plan to support older servers with a new feature? In > past access to new features required to upgrade freeipa, why we should > increase complexity of code and ldap searches? Any plugin that involve > ipaConfingString must be handled in special way, we basically cannot use > framework defaults -> increases bugs, devel time, prone to future > regressions. So in future when we implement UI for this we will suffer. > > ipaConfigString is multivalued attribute, domains basically have to be > only one string to keep order (single value attribute) => additional > complications on both SSSD side and IPA framework side if somebody set > domain order as multiple values instead one. With single valued > attribute this is handled by free by LDAP. > > Even for users is more natural to set string of domains to one attribute > instead of adding a new value with a special prefix and list domain to > multivalued attribute, the second is more error prone with worse UX. > > I would like to have clean design, separate attributes for separate > features, otherwise we can just create ipaUltimateAtr and put JSON inside. Given we are now talking about an attribute to reuse in multiple objectclasss I tend to agree with all these points, my initial comments on this were related to the single global option case. Simo. Martin^2 > > > > >> I just feel anything involving 'ipaConfigString' leads to design smell, > >> sorry. Yes it is my personal opinion but I think there are more people > >> sharing it. If not, I am happy to hear counterarguments. > > I am asking why, can you bring some evidence ? > > I am all about feelings, they are important, but I want data to make a > > decision. > > > >>>> If the admin wishes old servers to server new clients this information, > >>> They do not "wish", this is pretty much what happens all the time ... > >>> > >>>> all he has to do is upgrade a single replica, set the attribute value > >>>> there and let replication take care of the rest. > >>> Come on, really ? > >>> If you have RHEL6 it is not a matter of "simply" upgrading a single > >>> replica, it means upgrade of the whole infrastructure ... > >>> > >> There is plenty of features not available to deplyments with RHEL6 > >> masters, I simply fail to see why this one should be special. > > It is not that it is special, my problem with that statement is that you > > assume that it is easy to upgrade servers. It is not, and decisions > > based on that assumption end up being very bad decisions for our users. > > So please do not ever assume that our users can "just upgrade one of > > their replicas". > > > >>>> Yes, the management CLI > >>>> will not be available on the old masters but that is the case of new > >>>> features anyway. > >>> I do not think we need any management UI in the short term to be honest, > >>> just a way to set a string. > >>> That will cut most development time that can be spent instead on dealing > >>> with allowing smaller groups of machines to be affected instead. > >>> > >>>>> The second one is something we *may* address later, and use the setting > >>>>> in cn=ipaConfig as a default, but there are two reasons why I think a > >>>>> setting applicable to just a host group makes sense: > >>>>> - it allows to test the setting on a small set of machines to see if > >>>>> everything works right, this is going to be especially important on > >>>>> existing setups, where people do not want to risk all machines > >>>>> misbehaving at once if something goes wrong. > >>>>> - it allows to migrate machines slowly, in some cases people may need to > >>>>> change local files/application settings on machines if the usernames > >>>>> change, so they may need a controlled roll out before changing a setting > >>>>> globally. > >>>>> > >>>>> This may achieved by adding this setting to an ID View for example, then > >>>>> only hosts in that IDView would get this. Or a new object could be > >>>>> created that has members, the former has the advantage of being already > >>>>> in place and SSSD already downloads that data, the latter allows to > >>>>> target an even smaller set of hosts unrelated to previous ID views > >>>>> settings. > >>>>> > >>>>> Simo. > >>>>> > >>>> That is an interesting proposal but I am afraid we may not get to > >>>> implement that during 4.5 development. I can certainly mention the > >>>> possibility in the design so that we can return to it when a need arises. > >>> My take is: cut API/UI work, and do the underlying infrastructure work > >>> for the widest set of serves/clients possible instead. > >>> > >>> It is much more important to get the underlying gears done than to add > >>> UI candy, that can be delayed. > >>> > >>> Simo. > >>> > >> I agree, we just have to come to agreement of *which* gears are really > >> necessary. > > Indeed, but adding attributes to ipaConfig and the ID Views is not hard, > > it is a matter of extending two objectclasses instead of one ... if we > > decide that Id Views are a good abstraction point. > > > > Simo. > > > -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Wed Mar 1 17:39:52 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 01 Mar 2017 18:39:52 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ +1 Reasoning for not skipping linters was that reviewer or patch author can forget to run those. This problem was solved by travis checks. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283412804 From freeipa-github-notification at redhat.com Wed Mar 1 17:48:47 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 01 Mar 2017 18:48:47 +0100 Subject: [Freeipa-devel] [freeipa PR#530][opened] man: update ipa-cacert-manage Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Author: tomaskrizek Title: #530: man: update ipa-cacert-manage Action: opened PR body: """ Make it clear this command is used to only renew certificate for the CA and provide guidance on how to renew other certificates. https://pagure.io/freeipa/issue/6648 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/530/head:pr530 git checkout pr530 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-530.patch Type: text/x-diff Size: 1383 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 1 18:09:00 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 01 Mar 2017 19:09:00 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ I am not sure we want to wait for replies from trusted domains, it may be very slow, and in some cases it will just not work right (one way trusts with strict access control on entries). Active Directory forces users to provide a hint when logging into trusted domains with smart cards and does not query the remote domain. Have we considered this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283420862 From freeipa-github-notification at redhat.com Wed Mar 1 18:10:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 01 Mar 2017 19:10:30 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ Custodia 0.3 is out, https://koji.fedoraproject.org/koji/taskinfo?taskID=18127414 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-283421294 From freeipa-github-notification at redhat.com Wed Mar 1 19:18:02 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Wed, 01 Mar 2017 20:18:02 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card sumit-bose commented: """ Yes, a hint aka user name will be used during authentication. But this PR here is about to get an idea which user is allowed to authenticate based on the current certificate mapping configuration. Since the certificate mapping configuration requires remote domains to be added explicitly to admin can control which domains are included in the search. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283440367 From freeipa-github-notification at redhat.com Wed Mar 1 20:18:16 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 01 Mar 2017 21:18:16 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (01/03/17 09:39), Petr Vobornik wrote: >+1 Reasoning for not skipping linters was that reviewer or patch author can forget to run those. This problem was solved by travis checks. > ATM nothing force reviewer/author to run lint. `makerpms.sh` does not call `make lint` and it is not a dependency of `make all`. configure script just remind developer to install pylint/jslint. (or disable configure time check) Which is a huge difference. If you think that developers should not/needn't have installed pylint by default then it's your decission. But I cannot see a good reason for removing this reminder. my 2 cents """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283457251 From freeipa-github-notification at redhat.com Thu Mar 2 06:37:43 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 07:37:43 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional HonzaCholasta commented: """ I tend to agree with @lslebodn, but I don't have a strong opinion on this. I noticed a couple of issues though: * `--without-jslint` does not seem to work correctly: ``` $ ./configure --without-jslint ... IPA Server 4.4.90.dev201703020634+git3a29b47 ======================== ... jslint: /usr/bin/jsl ... ``` * In `freeipa.spec.in`, when `with_lint` is not defined, lint should be disabled, so `--disable-pylint` and `--without-jslint` should be passed to `%configure`. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283569745 From slaznick at redhat.com Thu Mar 2 07:00:27 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 2 Mar 2017 08:00:27 +0100 Subject: [Freeipa-devel] FreeIPA: upgrading from priv-separation to git-master In-Reply-To: References: Message-ID: On 03/01/2017 12:01 PM, Standa Laznicka wrote: > Hello, > > Please note that https://github.com/freeipa/freeipa/pull/367 was > pushed today. What this means for you is that your IPA installations > won't work if you had privilege separation patches applied and try to > upgrade your instances to current master. > > This is because privilege separation moved the Dogtag agent > certificate but we had to move it as well keeping in mind that users > will be upgrading from pre-priv-sep installation to this one. > > Sorry for the inconvenience, > Standa > Note I also updated the http://www.freeipa.org/page/Testing guide. From mbabinsk at redhat.com Thu Mar 2 07:10:54 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Mar 2017 08:10:54 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488387086.10234.41.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> Message-ID: <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> On 03/01/2017 05:51 PM, Simo Sorce wrote: > On Wed, 2017-03-01 at 17:29 +0100, Martin Basti wrote: >> >> On 01.03.2017 17:04, Simo Sorce wrote: >>> On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: >>>> On 03/01/2017 04:32 PM, Simo Sorce wrote: >>>>> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: >>>>>> On 03/01/2017 03:42 PM, Simo Sorce wrote: >>>>>>> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: >>>>>>>> Hello list, >>>>>>>> >>>>>>>> I have put together a draft of design page describing server-side >>>>>>>> implementation of user short name -> fully-qualified name resolution.[1] >>>>>>>> >>>>>>>> In the end I have taken the liberty to change a few aspects of the >>>>>>>> design we have agreed on before and I will be grad if we can discuss >>>>>>>> them further. >>>>>>>> >>>>>>>> Me and Honza have discussed the object that should hold the domain >>>>>>>> resolution order and given the fact that IPA domain can also be a part >>>>>>>> of this list, we have decided that this information is no longer bound >>>>>>>> to trust configuration and should be a part of the global config instead. >>>>>>>> >>>>>>>> Also we have purposefully cut down the API only to a raw manipulation of >>>>>>>> the attribute using an option of `ipa config-mod`. The reasons for this >>>>>>>> are twofold: >>>>>>>> >>>>>>>> * the developer resources are quite scarce and it may be good to >>>>>>>> follow YAGNI[2] principle to implement the dumbest API now and not to >>>>>>>> invest into more high-level interface unless there is a demand for it >>>>>>>> >>>>>>>> * we can imagine that the manipulation of the domain resolution order >>>>>>>> is a rare operation (ideally only once all trusts are established), so I >>>>>>>> am not convinced that it is worth investing into designing higher-level API >>>>>>>> >>>>>>>> I propose we first develop the "dumber" parts first to unblock the SSSD >>>>>>>> part. If we have spare cycle afterwards then we can design and implement >>>>>>>> more bells-and-whistles afterwards. >>>>>>>> >>>>>>>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names >>>>>>>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it >>>>>>> Thank you Martin, >>>>>>> this is a good initial proposal. >>>>>>> >>>>>>> I have a few issues with this design: >>>>>>> - It conflates the idea of ordering with the idea of shortening user >>>>>>> names >>>>>> I fail to see where the conflation takes place. The ordered list is >>>>>> stored on the server. The client then uses it to expand short names. I >>>>>> guess I am just missing something. >>>>> The attribute is called ipaNTDomainResolutionOrder, nothing in that >>>>> attribute says anything about making names become short names. >>>>> If it were ipaNTShortNameDomainResolutionOrder then it would be >>>>> specific, as it is it seem just to refer to the order in which domain >>>>> are resolved, but that is somethign we want in order to determine which >>>>> domains SSSD is going to make use short names too, not just the order in >>>>> which domains are resolved. >>>>> I hope this makes it clearer. >>>>> >>>>>>> - It allows only for one setting for all the machines, no way to treat >>>>>>> different groups of machines differently >>>>>>> >>>>>> Yes it was discussed that the setting will be global. I would implement >>>>>> local overrides only when there is a demand for the feature given >>>>>> development time is short. >>>>> Demand is immediate, and it is obvious IMO. >>>>> >>>> Such demand was not made clear during previous discussions and was not >>>> mentioned by SSSD guys either AFAIK. >>> I guess this is why we do reviews :-) >>> >>>>>>> The first one is probably just a matter of using a more specific name >>>>>>> for the new attribute, or, perhaps not use a new attribute at all but >>>>>>> just use ipaConfigString with an agreed syntax like: >>>>>>> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd >>>>>>> >>>>>>> The side effect of using ipaConfigString is that we can set this on >>>>>>> older servers too, so people do not have to upgrade their servers to use >>>>>>> this. Old servers will not have any validation, but that is ok, sssd >>>>>>> must be prepared to receive a bad list and deal with it appropriately >>>>>>> anyway. >>>>>>> >>>>>> No more 'ipaConfigString' attribute values, please. Me and everyone else >>>>>> fixing e.g. replication issues can relate to the pain of doing CRUD >>>>>> operations involving them. >>>>> ipaConfigString was devised explicitly so that configuration options >>>>> could be added without replication issues because the string can be >>>>> accepted by any server version. >>>>> So what replication issues are there ? >>>>> What has CRUD to do with it ? >>>>> >>>> Well consider client doing a) retrieve ipaDomainResolutionOrder and >>>> split it by delimiter, or b) retrieve values of ipaConfigString, iterate >>>> until you find one that starts with "Domains Use Short Name list:", >>>> strip off the rest of the value and split it by delimiter. >>> I do not see any problem with this. >> I disagree, >> >> ipaConfigString evokes that this is IPA configuration, but AFAIK the >> SSSD is the consumer of data and it is unrelated to configuration of IPA >> server. If you plan to extend usage of 'ipaDomainResolutionOrder' to >> more entries than one, then is better to have separate attribute that >> allows better LDAP searches (debugging, support). >> Why SSSD instead of downloading the exact attribute content should do a >> parsing of messy values that can be inside ipaConfigString? >> >> Why we suddenly plan to support older servers with a new feature? In >> past access to new features required to upgrade freeipa, why we should >> increase complexity of code and ldap searches? Any plugin that involve >> ipaConfingString must be handled in special way, we basically cannot use >> framework defaults -> increases bugs, devel time, prone to future >> regressions. So in future when we implement UI for this we will suffer. >> >> ipaConfigString is multivalued attribute, domains basically have to be >> only one string to keep order (single value attribute) => additional >> complications on both SSSD side and IPA framework side if somebody set >> domain order as multiple values instead one. With single valued >> attribute this is handled by free by LDAP. >> >> Even for users is more natural to set string of domains to one attribute >> instead of adding a new value with a special prefix and list domain to >> multivalued attribute, the second is more error prone with worse UX. >> >> I would like to have clean design, separate attributes for separate >> features, otherwise we can just create ipaUltimateAtr and put JSON inside. > > > Given we are now talking about an attribute to reuse in multiple > objectclasss I tend to agree with all these points, my initial comments > on this were related to the single global option case. > > Simo. > > Martin^2 >> >>> >>>> I just feel anything involving 'ipaConfigString' leads to design smell, >>>> sorry. Yes it is my personal opinion but I think there are more people >>>> sharing it. If not, I am happy to hear counterarguments. >>> I am asking why, can you bring some evidence ? >>> I am all about feelings, they are important, but I want data to make a >>> decision. >>> >>>>>> If the admin wishes old servers to server new clients this information, >>>>> They do not "wish", this is pretty much what happens all the time ... >>>>> >>>>>> all he has to do is upgrade a single replica, set the attribute value >>>>>> there and let replication take care of the rest. >>>>> Come on, really ? >>>>> If you have RHEL6 it is not a matter of "simply" upgrading a single >>>>> replica, it means upgrade of the whole infrastructure ... >>>>> >>>> There is plenty of features not available to deplyments with RHEL6 >>>> masters, I simply fail to see why this one should be special. >>> It is not that it is special, my problem with that statement is that you >>> assume that it is easy to upgrade servers. It is not, and decisions >>> based on that assumption end up being very bad decisions for our users. >>> So please do not ever assume that our users can "just upgrade one of >>> their replicas". >>> >>>>>> Yes, the management CLI >>>>>> will not be available on the old masters but that is the case of new >>>>>> features anyway. >>>>> I do not think we need any management UI in the short term to be honest, >>>>> just a way to set a string. >>>>> That will cut most development time that can be spent instead on dealing >>>>> with allowing smaller groups of machines to be affected instead. >>>>> >>>>>>> The second one is something we *may* address later, and use the setting >>>>>>> in cn=ipaConfig as a default, but there are two reasons why I think a >>>>>>> setting applicable to just a host group makes sense: >>>>>>> - it allows to test the setting on a small set of machines to see if >>>>>>> everything works right, this is going to be especially important on >>>>>>> existing setups, where people do not want to risk all machines >>>>>>> misbehaving at once if something goes wrong. >>>>>>> - it allows to migrate machines slowly, in some cases people may need to >>>>>>> change local files/application settings on machines if the usernames >>>>>>> change, so they may need a controlled roll out before changing a setting >>>>>>> globally. >>>>>>> >>>>>>> This may achieved by adding this setting to an ID View for example, then >>>>>>> only hosts in that IDView would get this. Or a new object could be >>>>>>> created that has members, the former has the advantage of being already >>>>>>> in place and SSSD already downloads that data, the latter allows to >>>>>>> target an even smaller set of hosts unrelated to previous ID views >>>>>>> settings. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> That is an interesting proposal but I am afraid we may not get to >>>>>> implement that during 4.5 development. I can certainly mention the >>>>>> possibility in the design so that we can return to it when a need arises. >>>>> My take is: cut API/UI work, and do the underlying infrastructure work >>>>> for the widest set of serves/clients possible instead. >>>>> >>>>> It is much more important to get the underlying gears done than to add >>>>> UI candy, that can be delayed. >>>>> >>>>> Simo. >>>>> >>>> I agree, we just have to come to agreement of *which* gears are really >>>> necessary. >>> Indeed, but adding attributes to ipaConfig and the ID Views is not hard, >>> it is a matter of extending two objectclasses instead of one ... if we >>> decide that Id Views are a good abstraction point. >>> >>> Simo. >>> >> > > In this case it would probably be a good idea to think about "forward compatibility" and define a new AUX objectclass bringing in 'ipaDomainResolutionOrder' instead of extending two separate objectclasses. In this way we may the just extend whathever object we desire to carry the override in an easy and clean way. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Mar 2 07:12:04 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Mar 2017 08:12:04 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170301162857.p5dfawm4co3q3oex@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <20170301162857.p5dfawm4co3q3oex@redhat.com> Message-ID: On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: > On ke, 01 maalis 2017, Simo Sorce wrote: >>> > My take is: cut API/UI work, and do the underlying infrastructure work >>> > for the widest set of serves/clients possible instead. >>> > >>> > It is much more important to get the underlying gears done than to add >>> > UI candy, that can be delayed. >>> > >>> > Simo. >>> > >>> >>> I agree, we just have to come to agreement of *which* gears are really >>> necessary. >> >> Indeed, but adding attributes to ipaConfig and the ID Views is not hard, >> it is a matter of extending two objectclasses instead of one ... if we >> decide that Id Views are a good abstraction point. > Adding the same attribute to ID View and to ipaConfig sounds logical to > me. > > Martin, if you want help with this, I can implement ID View-related > parts. SSSD does have code to retrieve ipaConfig already, and it also > has support for reading ID View associated with the host. The resulting > value wouldn't end up in the same place, though, but this is something > to handle on SSSD side. > I was thinking about this at night (insomnia FTW) and it is actually pretty easy to extend ID view with the same attribute (see my other reply to Simo). Given the UI will be pretty dumb, we just can add the new attribute to the ID view object and a common code will be responsible for validation of changed values. -- Martin^3 Babinsky From jcholast at redhat.com Thu Mar 2 07:57:23 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Mar 2017 08:57:23 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170301135807.c65u7thxqcfquvn3@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> <20170301130526.66tvuj5tceiyd4r6@redhat.com> <20170301135807.c65u7thxqcfquvn3@redhat.com> Message-ID: <1c703359-c095-5028-db4e-ee2a108a5d3f@redhat.com> On 1.3.2017 14:58, Alexander Bokovoy wrote: > On ke, 01 maalis 2017, Jan Cholasta wrote: >> On 1.3.2017 14:05, Alexander Bokovoy wrote: >>> On ke, 01 maalis 2017, Jan Cholasta wrote: >>>> On 1.3.2017 13:39, Martin Babinsky wrote: >>>>> Alexander, >>>>> >>>>> thank you for your comments. Replies inline: >>>>> >>>>> On 02/28/2017 01:48 PM, Alexander Bokovoy wrote: >>>>>> On ti, 28 helmi 2017, Martin Babinsky wrote: >>>>>>> Hello list, >>>>>>> >>>>>>> I have put together a draft of design page describing server-side >>>>>>> implementation of user short name -> fully-qualified name >>>>>>> resolution.[1] >>>>>>> >>>>>>> In the end I have taken the liberty to change a few aspects of the >>>>>>> design we have agreed on before and I will be grad if we can discuss >>>>>>> them further. >>>>>>> >>>>>>> Me and Honza have discussed the object that should hold the domain >>>>>>> resolution order and given the fact that IPA domain can also be a >>>>>>> part >>>>>>> of this list, we have decided that this information is no longer >>>>>>> bound >>>>>>> to trust configuration and should be a part of the global config >>>>>>> instead. >>>>>>> >>>>>>> Also we have purposefully cut down the API only to a raw >>>>>>> manipulation >>>>>>> of the attribute using an option of `ipa config-mod`. The reasons >>>>>>> for >>>>>>> this are twofold: >>>>>>> >>>>>>> * the developer resources are quite scarce and it may be good to >>>>>>> follow YAGNI[2] principle to implement the dumbest API now and >>>>>>> not to >>>>>>> invest into more high-level interface unless there is a demand >>>>>>> for it >>>>>>> >>>>>>> * we can imagine that the manipulation of the domain resolution >>>>>>> order >>>>>>> is a rare operation (ideally only once all trusts are >>>>>>> established), so >>>>>>> I am not convinced that it is worth investing into designing >>>>>>> higher-level API >>>>>>> >>>>>>> I propose we first develop the "dumber" parts first to unblock the >>>>>>> SSSD part. If we have spare cycle afterwards then we can design and >>>>>>> implement more bells-and-whistles afterwards. >>>>>> Looks mostly OK, but there are few comments I have: >>>>>> >>>>>> - I do not see you mention how validation of the >>>>>> ipaDomainResolutionOrder is done. This is important to avoid hard to >>>>>> debug issues because SSSD will ignore domains it doesn't know about. >>>>>> >>>>> >>>>> The validation is described in a Design section as follows: >>>>> >>>>> """ >>>>> Finally, any modification of the domain resolution order must ensure >>>>> that each of the specified domain names corresponds either to that of >>>>> FreeIPA domain or to one of the trusted AD domains stored in LDAP >>>>> backend. In the case of trusted domains, the domain must not be marked >>>>> as disabled. >>>>> """ >>>>> >>>>> Is this sufficient or is a more thorough validation required? Shall I >>>>> split the whole section into sub-sections for easier navigation? >>>>> >>>>>> - Space separator initially caused me to look up DNS RFCs as strictly >>>>>> speaking domain names can contain any 8-bit octet (while host names >>>>>> should follow LDH rule). But then [1] does explicitly say space is >>>>>> not >>>>>> allowed in AD domain names. >>>>>> >>>>> >>>>> I have discussed this with Jan and consulted the same document that >>>>> you >>>>> cited, that's why I have arrived to the conclusion to use >>>>> whitespace as >>>>> separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain >>>>> names or should we consider other options to avoid breakage with more >>>>> exotic domain names? >>>> >>>> Actually I would prefer something else than whitespace as a separator. >>>> A ':' maybe? >>> or ',' or ';'. Any would work. >>> >>>>> I have considered a empty attribute value to be a distinct state from >>>>> the missing attribute and assigned a different semantic meaning to it. >>>>> >>>>> The reasoning is as follows: if the attribute is not set, SSSD will >>>>> not >>>>> retrieve it and this signals that it should continue operate in usual >>>>> way. >>>>> >>>>> If the attribute is present but is empty, the semantics change >>>>> slightly >>>>> as now we consider *no* domains during short name resolution >>>>> (extension >>>>> of the missing domain behavior to the case of all domains are missing >>>>> from list). >>>> >>>> It doesn't have to be literally empty (LDAP character string syntaxes >>>> don't allow it anyway IIRC), there can be a value which denotes an >>>> empty list of domain (e.g. the separator alone). >>> I don't see *why* there should be this distinction. The deciding party >>> is SSSD. Whether this attirbute exists and empty or does not exist at >>> all does not change anything. Changing how SSSD interprets own defaults >>> depending on absense or emptiness of certain attribute in IPA config >>> object is not user friendly at all. >>> >>> SSSD default behavior should stay the same whether it finds missing or >>> empty attribute because the attribute will not be known to older SSSD >>> anyway. Missing or empty attribute should, in my opinion, be equal to >>> older SSSD behavior. >>> >> >> "No value is set in configuration => use built-in default / some value >> is set configuration => use the value" is perfectly user friendly and >> pretty much common virtually everywhere I believe, much more so than >> "empty value is set in configuration => ignore the value even if the >> user deliberately set it empty and use the default value instead". > I'm not arguing with "no value is set in configuration -> use built-in > default". I do argue on having empty but present attribute because it > does not add anything useful for SSSD to decide on. And as it is not > adding anything useful, why there should be such difference at all? > > This is the only question open I see in this design. The list does not have to contain all available domains, therefore it can also be empty. When a domain is not present in the list, a fully qualified name must be used for users in that domain, therefore when the list is empty, fully qualified name must be used for users in all domains. This might be useful to someone, and even if it wasn't, I still don't think it warrants making a (IMO counter-intuitive) special case out of the empty list. -- Jan Cholasta From freeipa-github-notification at redhat.com Thu Mar 2 07:57:06 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 02 Mar 2017 08:57:06 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (01/03/17 22:37), Jan Cholasta wrote: >I tend to agree with @lslebodn, but I don't have a strong opinion on this. I noticed a couple of issues though: > >* `--without-jslint` does not seem to work correctly: > ``` > $ ./configure --without-jslint > ... > IPA Server 4.4.90.dev201703020634+git3a29b47 > ======================== > ... > jslint: /usr/bin/jsl > ... > ``` > >* In `freeipa.spec.in`, when `with_lint` is not defined, lint should be disabled, so `--disable-pylint` and `--without-jslint` should be passed to `%configure`. > This is exactly a reason why the simplest solution would be to exend error messages without changing default. Default "yes" should encourage downstream packagers[1,2] to run make lint and catch issues with backported(downstream only) patches. BTW there were also some version of packages for opensuse[2] but they were removed. [1] https://anonscm.debian.org/cgit/pkg-freeipa/freeipa.git [2] https://en.opensuse.org/Portal:FreeIPA """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283582564 From abokovoy at redhat.com Thu Mar 2 08:06:01 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Mar 2017 10:06:01 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1c703359-c095-5028-db4e-ee2a108a5d3f@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170228124802.krupsj2xa7fo3ewn@redhat.com> <34d00fea-68dd-00ec-b9e9-d1d27d6ba819@redhat.com> <20170301130526.66tvuj5tceiyd4r6@redhat.com> <20170301135807.c65u7thxqcfquvn3@redhat.com> <1c703359-c095-5028-db4e-ee2a108a5d3f@redhat.com> Message-ID: <20170302080601.5einh63munx36lb4@redhat.com> On to, 02 maalis 2017, Jan Cholasta wrote: >>>"No value is set in configuration => use built-in default / some value >>>is set configuration => use the value" is perfectly user friendly and >>>pretty much common virtually everywhere I believe, much more so than >>>"empty value is set in configuration => ignore the value even if the >>>user deliberately set it empty and use the default value instead". >>I'm not arguing with "no value is set in configuration -> use built-in >>default". I do argue on having empty but present attribute because it >>does not add anything useful for SSSD to decide on. And as it is not >>adding anything useful, why there should be such difference at all? >> >>This is the only question open I see in this design. > >The list does not have to contain all available domains, therefore it >can also be empty. When a domain is not present in the list, a fully >qualified name must be used for users in that domain, therefore when >the list is empty, fully qualified name must be used for users in all >domains. > >This might be useful to someone, and even if it wasn't, I still don't >think it warrants making a (IMO counter-intuitive) special case out of >the empty list. I'm confused. I don't want to make this distinction between a missing attribute and an empty one. You appear to be following the same path. What we are arguing about then? -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Thu Mar 2 08:09:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 09:09:53 +0100 Subject: [Freeipa-devel] [freeipa PR#531][opened] httpinstance: don't load system trust module in /etc/httpd/alias Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias Action: opened PR body: """ Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Rename the symlink on install and upgrade to prevent the system trust module to be loaded in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 3478 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:10:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 09:10:11 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 10765 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:15:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 09:15:10 +0100 Subject: [Freeipa-devel] [freeipa PR#532][opened] Fix cookie with Max-Age processing Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Author: stlaz Title: #532: Fix cookie with Max-Age processing Action: opened PR body: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/532/head:pr532 git checkout pr532 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-532.patch Type: text/x-diff Size: 2859 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:21:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 09:21:43 +0100 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 7763 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:24:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 09:24:58 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional stlaz commented: """ There's an ongoing discussion about the acceptance of the patch. Removing the ACK label until the acceptance is agreed on. Please, @lslebodn or @tomaskrizek, add the label back once that is done. However, please, try to cut the **discussion short** and make the decision in the least comments possible. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283587928 From freeipa-github-notification at redhat.com Thu Mar 2 08:25:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 09:25:02 +0100 Subject: [Freeipa-devel] [freeipa PR#502][-ack] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: -ack From freeipa-github-notification at redhat.com Thu Mar 2 08:26:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 09:26:12 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: don't load system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias tiran commented: """ Your solution is just a temporary solution. The file is re-added every time mod_nss is updated. The mod_nss package needs to be changed, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-283588206 From freeipa-github-notification at redhat.com Thu Mar 2 08:27:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 09:27:39 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: don't load system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias HonzaCholasta commented: """ Sigh, did not notice that. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-283588529 From freeipa-github-notification at redhat.com Thu Mar 2 08:33:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 09:33:20 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: don't load system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias tiran commented: """ ``` $ rpm -qf /etc/httpd/alias/libnssckbi.so mod_nss-1.0.14-1.fc25.x86_64 ```` https://src.fedoraproject.org/cgit/rpms/mod_nss.git/tree/mod_nss.spec#n158 ``` %files ... %{_sysconfdir}/httpd/alias/libnssckbi.so ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-283589720 From freeipa-github-notification at redhat.com Thu Mar 2 08:50:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 09:50:16 +0100 Subject: [Freeipa-devel] [freeipa PR#532][synchronized] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Author: stlaz Title: #532: Fix cookie with Max-Age processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/532/head:pr532 git checkout pr532 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-532.patch Type: text/x-diff Size: 2865 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:56:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 09:56:55 +0100 Subject: [Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: don't load system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 4247 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 08:57:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 09:57:21 +0100 Subject: [Freeipa-devel] [freeipa PR#531][edited] httpinstance: don't load system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias Action: edited Changed field: title Original value: """ httpinstance: don't load system trust module in /etc/httpd/alias """ From freeipa-github-notification at redhat.com Thu Mar 2 08:57:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 09:57:35 +0100 Subject: [Freeipa-devel] [freeipa PR#531][edited] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: edited Changed field: body Original value: """ Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Rename the symlink on install and upgrade to prevent the system trust module to be loaded in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 """ From freeipa-github-notification at redhat.com Thu Mar 2 09:03:47 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:03:47 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less HonzaCholasta commented: """ OK, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283596373 From freeipa-github-notification at redhat.com Thu Mar 2 09:04:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:04:27 +0100 Subject: [Freeipa-devel] [freeipa PR#526][+pushed] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 09:04:29 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:04:29 +0100 Subject: [Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less HonzaCholasta commented: """ master: * ba3c201a03cd0b224b43e45245147e48b7291f9f server install: do not attempt to issue PKINIT cert in CA-less """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283596507 From freeipa-github-notification at redhat.com Thu Mar 2 09:04:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:04:30 +0100 Subject: [Freeipa-devel] [freeipa PR#526][closed] server install: do not attempt to issue PKINIT cert in CA-less In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: do not attempt to issue PKINIT cert in CA-less Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/526/head:pr526 git checkout pr526 From jhrozek at redhat.com Thu Mar 2 09:25:36 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 2 Mar 2017 10:25:36 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <20170301162857.p5dfawm4co3q3oex@redhat.com> Message-ID: <20170302092536.gb3r6p4xh6ke4hx3@hendrix> On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: > On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: > > On ke, 01 maalis 2017, Simo Sorce wrote: > > > > > My take is: cut API/UI work, and do the underlying infrastructure work > > > > > for the widest set of serves/clients possible instead. > > > > > > > > > > It is much more important to get the underlying gears done than to add > > > > > UI candy, that can be delayed. > > > > > > > > > > Simo. > > > > > > > > > > > > > I agree, we just have to come to agreement of *which* gears are really > > > > necessary. > > > > > > Indeed, but adding attributes to ipaConfig and the ID Views is not hard, > > > it is a matter of extending two objectclasses instead of one ... if we > > > decide that Id Views are a good abstraction point. > > Adding the same attribute to ID View and to ipaConfig sounds logical to > > me. > > > > Martin, if you want help with this, I can implement ID View-related > > parts. SSSD does have code to retrieve ipaConfig already, and it also > > has support for reading ID View associated with the host. The resulting > > value wouldn't end up in the same place, though, but this is something > > to handle on SSSD side. > > > > I was thinking about this at night (insomnia FTW) and it is actually pretty > easy to extend ID view with the same attribute (see my other reply to Simo). > Given the UI will be pretty dumb, we just can add the new attribute to the > ID view object and a common code will be responsible for validation of > changed values. (I'm sorry to come late to the discussion, but I spent yesterday debugging a nasty issue in SSSD and my brain wasn't working anymore) To be honest, I haven't heard about users requesting to set the feature per-host. Most were interested in a global setting and given the short time before the next release, I thought for users who need a per-client solution, a local sssd.conf modification could also work, also considering that the /only/ solution so far was to modify sssd.conf with the default_domain_suffix hack. On the other hand, I see Simo's point about easy migration to this new setting and easier tinkering with the option if it's possible to set this per-view. And more importantly, I'm quite sure someone /will/ ask to set this centrally, but per host(group) eventually. So as long as the final design is a) extendable to provide a per-host setting in the future, even if that part is not implemented in this version in the UI or not used by the clients immediatelly and b) it's easy for clients to consume this setting, I'm fine. I'm afraid I can't comment on the ipaConfig issues and the replication concerns as I'm not that proficient with IPA internals.. From freeipa-github-notification at redhat.com Thu Mar 2 09:27:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:27:11 +0100 Subject: [Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 4243 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 09:29:25 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 10:29:25 +0100 Subject: [Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 4264 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 09:36:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 10:36:45 +0100 Subject: [Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography stlaz commented: """ Tested this and gone through the code, both was fine. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/510#issuecomment-283603907 From freeipa-github-notification at redhat.com Thu Mar 2 09:36:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 10:36:49 +0100 Subject: [Freeipa-devel] [freeipa PR#510][+ack] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography Label: +ack From freeipa-github-notification at redhat.com Thu Mar 2 09:40:28 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 10:40:28 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ Since `--without-jslint` was removed, there's actually no way to explicitly turn off jsl (it will always be autodetected). I tried to set `--with-jslint=no`, but that didn't do the trick. Pylint can be disabled with `--enable-pylint=no`, however. I suggest the following: - when `--with-jslint=no`, turn off jsl, - pass `--with-jslint=no --enable-pylint=no` to `%configure` in `freeipa.spec.in` when `with_lint` is not defined. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283604750 From freeipa-github-notification at redhat.com Thu Mar 2 09:42:43 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 10:42:43 +0100 Subject: [Freeipa-devel] [freeipa PR#533][opened] WebUI: Change structure of Identity submenu Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Author: pvomacka Title: #533: WebUI: Change structure of Identity submenu Action: opened PR body: """ Previously there were 'User Groups', 'Host Groups' and 'Netgroups' separately, now these three items are grouped into one named 'Groups' which has sidebar with three items mentioned above. This change allows us to move ID views into Identity submenu. https://pagure.io/freeipa/issue/6717 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/533/head:pr533 git checkout pr533 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-533.patch Type: text/x-diff Size: 6455 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 09:45:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 10:45:56 +0100 Subject: [Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 17686 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 11:04:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 12:04:04 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ @tomaskrizek autoconf is a bit magic. ```--without-jslint``` is still there. The line ```AC_ARG_WITH([jslint], ...)``` provides ```--with-jslint``` and ```--without-jslint```. But there was a bug in my check logic. I pushed another fix that fixed a bug in my logic and replaces some complicated checks with a straight-forward ```AS_CASE``` block. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283623906 From freeipa-github-notification at redhat.com Thu Mar 2 11:04:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 12:04:32 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6573 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 11:09:43 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 02 Mar 2017 12:09:43 +0100 Subject: [Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 4342 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 11:27:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 12:27:24 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ Which audience is our primary concern here? 1. Should default settings be tailored towards downstream packager? 2. Or should defaults settings be user-friendly for upstream and external users? I'm for upstream first. Packaging is pretty much automated and scripted. A packager can easily adjust a script for a new version. There also just a handful of distributions (Fedora/RHEL/CentOS, Debian/Ubuntu, SuSE, Gentoo). """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283628663 From freeipa-github-notification at redhat.com Thu Mar 2 11:30:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 12:30:32 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6623 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 11:31:38 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 02 Mar 2017 12:31:38 +0100 Subject: [Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-516.patch Type: text/x-diff Size: 59274 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 11:48:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 12:48:03 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb stlaz commented: """ The changes are fine. Please, squash the two commits together so that we can push it. """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-283632762 From freeipa-github-notification at redhat.com Thu Mar 2 12:02:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 13:02:00 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 9107 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 12:35:02 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 02 Mar 2017 13:35:02 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @abbra , Thanks for your comment. Running in permissive mode I did not see any AVC logged in the journal. @HonzaCholasta thanks for the tips re. writing API. I have followed your advice and made certificate a positional argument. The output will look like this: ``` --------------- 2 users matched --------------- Domain: DOM-076.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Usernames: user1, user2 ---------------------------- Number of entries returned 2 ---------------------------- ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283642083 From freeipa-github-notification at redhat.com Thu Mar 2 12:38:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 13:38:57 +0100 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 6834 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 12:49:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 13:49:32 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ Looks good. +1 for user-friendly upstream as primary audience. Packagers can turn these checks on. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283645003 From freeipa-github-notification at redhat.com Thu Mar 2 13:03:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 14:03:46 +0100 Subject: [Freeipa-devel] [freeipa PR#453][+ack] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb Label: +ack From freeipa-github-notification at redhat.com Thu Mar 2 13:22:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:22:37 +0100 Subject: [Freeipa-devel] [freeipa PR#510][+pushed] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 13:22:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:22:38 +0100 Subject: [Freeipa-devel] [freeipa PR#510][closed] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Author: tiran Title: #510: Vault: port key wrapping to python-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/510/head:pr510 git checkout pr510 From freeipa-github-notification at redhat.com Thu Mar 2 13:22:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:22:40 +0100 Subject: [Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography MartinBasti commented: """ master: * ed7a03a1af8b556247b929635e2972be4f2b32e4 Vault: port key wrapping to python-cryptography """ See the full comment at https://github.com/freeipa/freeipa/pull/510#issuecomment-283651863 From freeipa-github-notification at redhat.com Thu Mar 2 13:23:51 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 02 Mar 2017 14:23:51 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands redhatrises commented: """ Thanks guys. So can this be fixed in `pre_callback` or `post_callback` in `user_find`, or am I looking elsewhere? (Not super familiar with all of the IPA framework) """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283652157 From freeipa-github-notification at redhat.com Thu Mar 2 13:34:47 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 02 Mar 2017 14:34:47 +0100 Subject: [Freeipa-devel] [freeipa PR#520][synchronized] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-520.patch Type: text/x-diff Size: 10721 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 13:44:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:44:04 +0100 Subject: [Freeipa-devel] [freeipa PR#472][+pushed] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 13:44:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:44:05 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ master: * 2e784336b0fe99baa47cf3e024f744ed56dc12ec Packaging: Add placeholder packages * e2b9ea2fd58b98edbb8d6aec97aadeea7cf11dcb Add python-wheel as build requirement * acdd1f59782bb836d6c4c255689918368adb8dab Add placeholders for ipaplatform, ipaserver and ipatests * b4c1bf1c7d1a63e802abe6334bd1112d2d468513 Add with_wheels global to install wheel and PyPI packaging dependencies * ab9f42d6eeefeaca2e4a5a9acfbb07b428be4616 Python build: use --build-base everywhere * 60cfacc54167b7b94b63874ade62740d980e3746 pylint: ignore pypi placeholders * bc1f60b3ba74032cb0895e154e02971aa380a6b3 Default to pkginstall=true without duplicated definitions """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-283656502 From freeipa-github-notification at redhat.com Thu Mar 2 13:44:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:44:07 +0100 Subject: [Freeipa-devel] [freeipa PR#472][closed] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From freeipa-github-notification at redhat.com Thu Mar 2 13:45:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:45:50 +0100 Subject: [Freeipa-devel] [freeipa PR#453][+pushed] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 13:45:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:45:52 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb MartinBasti commented: """ master: * 22d7492c94837342a559c368454c223f566490ac Cleanup certdb """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-283656940 From freeipa-github-notification at redhat.com Thu Mar 2 13:45:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Mar 2017 14:45:53 +0100 Subject: [Freeipa-devel] [freeipa PR#453][closed] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 From mbabinsk at redhat.com Thu Mar 2 13:47:24 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Mar 2017 14:47:24 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170302092536.gb3r6p4xh6ke4hx3@hendrix> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <20170301162857.p5dfawm4co3q3oex@redhat.com> <20170302092536.gb3r6p4xh6ke4hx3@hendrix> Message-ID: <989dc8a0-3686-27b8-8774-3d3f804493de@redhat.com> On 03/02/2017 10:25 AM, Jakub Hrozek wrote: > On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: >> On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: >>> On ke, 01 maalis 2017, Simo Sorce wrote: >>>>>> My take is: cut API/UI work, and do the underlying infrastructure work >>>>>> for the widest set of serves/clients possible instead. >>>>>> >>>>>> It is much more important to get the underlying gears done than to add >>>>>> UI candy, that can be delayed. >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> I agree, we just have to come to agreement of *which* gears are really >>>>> necessary. >>>> >>>> Indeed, but adding attributes to ipaConfig and the ID Views is not hard, >>>> it is a matter of extending two objectclasses instead of one ... if we >>>> decide that Id Views are a good abstraction point. >>> Adding the same attribute to ID View and to ipaConfig sounds logical to >>> me. >>> >>> Martin, if you want help with this, I can implement ID View-related >>> parts. SSSD does have code to retrieve ipaConfig already, and it also >>> has support for reading ID View associated with the host. The resulting >>> value wouldn't end up in the same place, though, but this is something >>> to handle on SSSD side. >>> >> >> I was thinking about this at night (insomnia FTW) and it is actually pretty >> easy to extend ID view with the same attribute (see my other reply to Simo). >> Given the UI will be pretty dumb, we just can add the new attribute to the >> ID view object and a common code will be responsible for validation of >> changed values. > > (I'm sorry to come late to the discussion, but I spent yesterday > debugging a nasty issue in SSSD and my brain wasn't working anymore) > > To be honest, I haven't heard about users requesting to set the feature > per-host. Most were interested in a global setting and given the short time > before the next release, I thought for users who need a per-client solution, > a local sssd.conf modification could also work, also considering that the > /only/ solution so far was to modify sssd.conf with the default_domain_suffix > hack. > > On the other hand, I see Simo's point about easy migration to this new > setting and easier tinkering with the option if it's possible to set > this per-view. And more importantly, I'm quite sure someone /will/ ask to > set this centrally, but per host(group) eventually. > > So as long as the final design is a) extendable to provide a per-host > setting in the future, even if that part is not implemented in this version > in the UI or not used by the clients immediatelly and b) it's easy for > clients to consume this setting, I'm fine. > > I'm afraid I can't comment on the ipaConfig issues and the replication > concerns as I'm not that proficient with IPA internals.. > If we introduce a new objectclass providing the attribute, we may then easily extend IDView object by it (or any other object for that matter) and fix the plugin code so that it can be set by framework, it is easy. If you all agree that this is the way we want to move forward with this project, I can update the design page and start implementing stuff. We need to decide quicky, time is short. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Thu Mar 2 13:51:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 14:51:56 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ I wanted to test this but nothing is currently shown for either SHA-1 or SHA256 fingerprints in the WebUI so you can either fix it or we'll wait till @pvomacka has that done. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-283658413 From freeipa-github-notification at redhat.com Thu Mar 2 13:53:08 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 02 Mar 2017 14:53:08 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ Do we really care for calculating the expiration time ? Should we just set timestamp to 0 or even remove the whole thing ? """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283658705 From simo at redhat.com Thu Mar 2 13:54:04 2017 From: simo at redhat.com (Simo Sorce) Date: Thu, 02 Mar 2017 08:54:04 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> Message-ID: <1488462844.10234.64.camel@redhat.com> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: > In this case it would probably be a good idea to think about "forward > compatibility" and define a new AUX objectclass bringing in > 'ipaDomainResolutionOrder' instead of extending two separate > objectclasses. In this way we may the just extend whathever object we > desire to carry the override in an easy and clean way. I agree. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Thu Mar 2 14:03:54 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 15:03:54 +0100 Subject: [Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-400.patch Type: text/x-diff Size: 29462 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 14:05:32 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 15:05:32 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping pvomacka commented: """ In last update I changed just line 33 in certmap.js file. """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-283661677 From freeipa-github-notification at redhat.com Thu Mar 2 14:07:09 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 15:07:09 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints pvomacka commented: """ @stlaz , @tomaskrizek I will fix that today. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-283662059 From freeipa-github-notification at redhat.com Thu Mar 2 14:08:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 15:08:39 +0100 Subject: [Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client tiran commented: """ I didn't see your comment regarding the in-memory cache because github hid the section after your most recent push. The in-memory cache doesn't work for Custodia because Custodia is a forking webserver. Requests are handled in one-shot client processes. I must be able to forcefully download the certificate in the main process, before it starts listening on incoming requests. """ See the full comment at https://github.com/freeipa/freeipa/pull/476#issuecomment-283662399 From freeipa-github-notification at redhat.com Thu Mar 2 14:10:13 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Mar 2017 15:10:13 +0100 Subject: [Freeipa-devel] [freeipa PR#398][+pushed] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 14:10:14 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Mar 2017 15:10:14 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping dkupka commented: """ master: * 9e24918c89f30a6d7064844dc0dd848bb35140df Support for Certificate Identity Mapping """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-283662781 From freeipa-github-notification at redhat.com Thu Mar 2 14:10:15 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Mar 2017 15:10:15 +0100 Subject: [Freeipa-devel] [freeipa PR#398][closed] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From freeipa-github-notification at redhat.com Thu Mar 2 14:20:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 15:20:05 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing stlaz commented: """ If I read the code well, in a well-set-up cookie, during `store_session_cookie()` when `Cookie.get_named_cookie_from_string()` is called, the expiration gets normalized which basically means removing the `Max-Age` attribute and replacing it with the `Expires` attribute in the cookie string (see `Cookie.normalize_expiration()` and `Cookie.__str__()`). When later retrieving the cookie, it should not have the `Max-Age` attribute anymore but only `Expires`. Therefore we need to calculate it or change the way `normalize_expiration()` behaves. """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283665210 From freeipa-github-notification at redhat.com Thu Mar 2 14:23:38 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 02 Mar 2017 15:23:38 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ Ok, sorry for some reason I thought this was on the server side, where we do not care what the cookie looks like, but on the client side we indeed care. """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283666136 From freeipa-github-notification at redhat.com Thu Mar 2 14:31:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 15:31:19 +0100 Subject: [Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown stlaz commented: """ The build fails no more ?, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/520#issuecomment-283668339 From freeipa-github-notification at redhat.com Thu Mar 2 14:31:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 15:31:24 +0100 Subject: [Freeipa-devel] [freeipa PR#520][+ack] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown Label: +ack From freeipa-github-notification at redhat.com Thu Mar 2 14:44:49 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 15:44:49 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints pvomacka commented: """ @tomaskrizek actually you did almost all necessary steps. Just please check inline comments where is described one another change. And in general you do not have to add anything into json files as they are present just because of historical reasons and will be removed soon. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-283672011 From freeipa-github-notification at redhat.com Thu Mar 2 14:47:25 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 02 Mar 2017 15:47:25 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints pvomacka commented: """ @tomaskrizek so, inline comment is not possible to the line where file was not changed. So, please remove line 1979: delete command.options.all; . That should be enough to display fingerprints correctly. Thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-283672713 From freeipa-github-notification at redhat.com Thu Mar 2 14:48:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 15:48:32 +0100 Subject: [Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-504.patch Type: text/x-diff Size: 11154 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 14:49:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 15:49:36 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints tomaskrizek commented: """ @pvomacka Thanks! Should be fixed now. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-283673360 From freeipa-github-notification at redhat.com Thu Mar 2 14:58:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 15:58:31 +0100 Subject: [Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-504.patch Type: text/x-diff Size: 10450 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 15:01:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 16:01:26 +0100 Subject: [Freeipa-devel] [freeipa PR#530][synchronized] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Author: tomaskrizek Title: #530: man: update ipa-cacert-manage Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/530/head:pr530 git checkout pr530 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-530.patch Type: text/x-diff Size: 1383 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 15:04:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 16:04:30 +0100 Subject: [Freeipa-devel] [freeipa PR#530][synchronized] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Author: tomaskrizek Title: #530: man: update ipa-cacert-manage Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/530/head:pr530 git checkout pr530 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-530.patch Type: text/x-diff Size: 1408 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 15:08:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Mar 2017 16:08:33 +0100 Subject: [Freeipa-devel] [freeipa PR#530][+ack] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Title: #530: man: update ipa-cacert-manage Label: +ack From jhrozek at redhat.com Thu Mar 2 15:11:41 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 2 Mar 2017 16:11:41 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <989dc8a0-3686-27b8-8774-3d3f804493de@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <20170301162857.p5dfawm4co3q3oex@redhat.com> <20170302092536.gb3r6p4xh6ke4hx3@hendrix> <989dc8a0-3686-27b8-8774-3d3f804493de@redhat.com> Message-ID: <20170302151141.xuolm45rntknmwbr@hendrix> On Thu, Mar 02, 2017 at 02:47:24PM +0100, Martin Babinsky wrote: > On 03/02/2017 10:25 AM, Jakub Hrozek wrote: > > On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: > > > On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: > > > > On ke, 01 maalis 2017, Simo Sorce wrote: > > > > > > > My take is: cut API/UI work, and do the underlying infrastructure work > > > > > > > for the widest set of serves/clients possible instead. > > > > > > > > > > > > > > It is much more important to get the underlying gears done than to add > > > > > > > UI candy, that can be delayed. > > > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > > I agree, we just have to come to agreement of *which* gears are really > > > > > > necessary. > > > > > > > > > > Indeed, but adding attributes to ipaConfig and the ID Views is not hard, > > > > > it is a matter of extending two objectclasses instead of one ... if we > > > > > decide that Id Views are a good abstraction point. > > > > Adding the same attribute to ID View and to ipaConfig sounds logical to > > > > me. > > > > > > > > Martin, if you want help with this, I can implement ID View-related > > > > parts. SSSD does have code to retrieve ipaConfig already, and it also > > > > has support for reading ID View associated with the host. The resulting > > > > value wouldn't end up in the same place, though, but this is something > > > > to handle on SSSD side. > > > > > > > > > > I was thinking about this at night (insomnia FTW) and it is actually pretty > > > easy to extend ID view with the same attribute (see my other reply to Simo). > > > Given the UI will be pretty dumb, we just can add the new attribute to the > > > ID view object and a common code will be responsible for validation of > > > changed values. > > > > (I'm sorry to come late to the discussion, but I spent yesterday > > debugging a nasty issue in SSSD and my brain wasn't working anymore) > > > > To be honest, I haven't heard about users requesting to set the feature > > per-host. Most were interested in a global setting and given the short time > > before the next release, I thought for users who need a per-client solution, > > a local sssd.conf modification could also work, also considering that the > > /only/ solution so far was to modify sssd.conf with the default_domain_suffix > > hack. > > > > On the other hand, I see Simo's point about easy migration to this new > > setting and easier tinkering with the option if it's possible to set > > this per-view. And more importantly, I'm quite sure someone /will/ ask to > > set this centrally, but per host(group) eventually. > > > > So as long as the final design is a) extendable to provide a per-host > > setting in the future, even if that part is not implemented in this version > > in the UI or not used by the clients immediatelly and b) it's easy for > > clients to consume this setting, I'm fine. > > > > I'm afraid I can't comment on the ipaConfig issues and the replication > > concerns as I'm not that proficient with IPA internals.. > > > > If we introduce a new objectclass providing the attribute, we may then > easily extend IDView object by it (or any other object for that matter) and > fix the plugin code so that it can be set by framework, it is easy. > > If you all agree that this is the way we want to move forward with this > project, I can update the design page and start implementing stuff. We need > to decide quicky, time is short. This sounds good to me from purely the client perspective, but I'm hardly the best person to decide IPA server-side design questions. From freeipa-github-notification at redhat.com Thu Mar 2 15:13:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 16:13:32 +0100 Subject: [Freeipa-devel] [freeipa PR#534][opened] Move csrgen templates into ipaclient package Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Author: tiran Title: #534: Move csrgen templates into ipaclient package Action: opened PR body: """ csrgen broke packaging of ipaclient for PyPI. All csrgen related resources are now package data of ipaclient package. Package data is accessed with Jinja's PackageLoader() or through pkg_resources. https://pagure.io/freeipa/issue/6714 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/534/head:pr534 git checkout pr534 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-534.patch Type: text/x-diff Size: 24072 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 15:14:26 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 16:14:26 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package tiran commented: """ @LiptonB please have a look. """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-283680629 From mbabinsk at redhat.com Thu Mar 2 15:43:17 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Mar 2017 16:43:17 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170302151141.xuolm45rntknmwbr@hendrix> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <20170301162857.p5dfawm4co3q3oex@redhat.com> <20170302092536.gb3r6p4xh6ke4hx3@hendrix> <989dc8a0-3686-27b8-8774-3d3f804493de@redhat.com> <20170302151141.xuolm45rntknmwbr@hendrix> Message-ID: On 03/02/2017 04:11 PM, Jakub Hrozek wrote: > On Thu, Mar 02, 2017 at 02:47:24PM +0100, Martin Babinsky wrote: >> On 03/02/2017 10:25 AM, Jakub Hrozek wrote: >>> On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: >>>> On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: >>>>> On ke, 01 maalis 2017, Simo Sorce wrote: >>>>>>>> My take is: cut API/UI work, and do the underlying infrastructure work >>>>>>>> for the widest set of serves/clients possible instead. >>>>>>>> >>>>>>>> It is much more important to get the underlying gears done than to add >>>>>>>> UI candy, that can be delayed. >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> I agree, we just have to come to agreement of *which* gears are really >>>>>>> necessary. >>>>>> >>>>>> Indeed, but adding attributes to ipaConfig and the ID Views is not hard, >>>>>> it is a matter of extending two objectclasses instead of one ... if we >>>>>> decide that Id Views are a good abstraction point. >>>>> Adding the same attribute to ID View and to ipaConfig sounds logical to >>>>> me. >>>>> >>>>> Martin, if you want help with this, I can implement ID View-related >>>>> parts. SSSD does have code to retrieve ipaConfig already, and it also >>>>> has support for reading ID View associated with the host. The resulting >>>>> value wouldn't end up in the same place, though, but this is something >>>>> to handle on SSSD side. >>>>> >>>> >>>> I was thinking about this at night (insomnia FTW) and it is actually pretty >>>> easy to extend ID view with the same attribute (see my other reply to Simo). >>>> Given the UI will be pretty dumb, we just can add the new attribute to the >>>> ID view object and a common code will be responsible for validation of >>>> changed values. >>> >>> (I'm sorry to come late to the discussion, but I spent yesterday >>> debugging a nasty issue in SSSD and my brain wasn't working anymore) >>> >>> To be honest, I haven't heard about users requesting to set the feature >>> per-host. Most were interested in a global setting and given the short time >>> before the next release, I thought for users who need a per-client solution, >>> a local sssd.conf modification could also work, also considering that the >>> /only/ solution so far was to modify sssd.conf with the default_domain_suffix >>> hack. >>> >>> On the other hand, I see Simo's point about easy migration to this new >>> setting and easier tinkering with the option if it's possible to set >>> this per-view. And more importantly, I'm quite sure someone /will/ ask to >>> set this centrally, but per host(group) eventually. >>> >>> So as long as the final design is a) extendable to provide a per-host >>> setting in the future, even if that part is not implemented in this version >>> in the UI or not used by the clients immediatelly and b) it's easy for >>> clients to consume this setting, I'm fine. >>> >>> I'm afraid I can't comment on the ipaConfig issues and the replication >>> concerns as I'm not that proficient with IPA internals.. >>> >> >> If we introduce a new objectclass providing the attribute, we may then >> easily extend IDView object by it (or any other object for that matter) and >> fix the plugin code so that it can be set by framework, it is easy. >> >> If you all agree that this is the way we want to move forward with this >> project, I can update the design page and start implementing stuff. We need >> to decide quicky, time is short. > > This sounds good to me from purely the client perspective, but I'm > hardly the best person to decide IPA server-side design questions. > That's ok, the thing is that you will be consuming this information so we should try our best to make you happy :). -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Thu Mar 2 15:56:44 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 16:56:44 +0100 Subject: [Freeipa-devel] [freeipa PR#520][+pushed] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 15:56:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 16:56:46 +0100 Subject: [Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Title: #520: Change README to use Markdown tomaskrizek commented: """ master: * 5e0ca17ca06ad26f291d4738766e194b3784c5bd Change README to use Markdown """ See the full comment at https://github.com/freeipa/freeipa/pull/520#issuecomment-283693211 From freeipa-github-notification at redhat.com Thu Mar 2 15:56:47 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 16:56:47 +0100 Subject: [Freeipa-devel] [freeipa PR#520][closed] Change README to use Markdown In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 From freeipa-github-notification at redhat.com Thu Mar 2 16:04:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 17:04:09 +0100 Subject: [Freeipa-devel] [freeipa PR#530][+pushed] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Title: #530: man: update ipa-cacert-manage Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 2 16:04:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 17:04:12 +0100 Subject: [Freeipa-devel] [freeipa PR#530][comment] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Title: #530: man: update ipa-cacert-manage tomaskrizek commented: """ master: * 223a48b6d9916069971f79ab324ead26fa21c79d man: update ipa-cacert-manage """ See the full comment at https://github.com/freeipa/freeipa/pull/530#issuecomment-283695473 From freeipa-github-notification at redhat.com Thu Mar 2 16:04:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 02 Mar 2017 17:04:14 +0100 Subject: [Freeipa-devel] [freeipa PR#530][closed] man: update ipa-cacert-manage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/530 Author: tomaskrizek Title: #530: man: update ipa-cacert-manage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/530/head:pr530 git checkout pr530 From freeipa-github-notification at redhat.com Thu Mar 2 16:21:55 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 17:21:55 +0100 Subject: [Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Author: tiran Title: #534: Move csrgen templates into ipaclient package Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/534/head:pr534 git checkout pr534 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-534.patch Type: text/x-diff Size: 24772 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 16:50:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Mar 2017 17:50:49 +0100 Subject: [Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Author: tiran Title: #534: Move csrgen templates into ipaclient package Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/534/head:pr534 git checkout pr534 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-534.patch Type: text/x-diff Size: 25577 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 17:12:56 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 02 Mar 2017 18:12:56 +0100 Subject: [Freeipa-devel] [freeipa PR#535][opened] add whoami command Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: opened PR body: """ `ipa whoami` command allows to query details about currently authenticated identity. The command returns following information: * object class name * function to call to get actual details about the object * arguments to pass to the function * options to pass to the function There are five types of objects that could bind to IPA using their credentials. `ipa whoami` call expects one of the following: * users * staged users * hosts * Kerberos services * ID user override from the default trust view The latter category of objects is automatically mapped by SASL GSSAPI mapping rule in 389-ds for users from trusted Active Directory forests. The command is expected to be used by Web UI to define proper view for the authenticated identity. Below is an example of how communication looks like for an Active Directory user which has ID override in 'Default Trust View'. $ ipa -vv whoami ipa: INFO: trying https://ipa.example.com/ipa/session/json ipa: INFO: Forwarding 'whoami/1' to json server 'https://ipa.example.com/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "whoami/1", "params": [ [], { "version": "2.220" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "Administrator at AD.DOMAIN", "result": { "arguments": [ "default trust view", "administrator at ad.domain" ], "details": "idoverrideuser_show/1", "object": "idoverrideuser", "options": [] }, "version": "" } Fixes https://pagure.io/freeipa/issue/6643 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-535.patch Type: text/x-diff Size: 9751 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 2 17:13:06 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 02 Mar 2017 18:13:06 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Design page: http://www.freeipa.org/page/V4/Who_Am_I_Command """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-283716554 From freeipa-github-notification at redhat.com Thu Mar 2 17:36:24 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 02 Mar 2017 18:36:24 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ Yes, you can add nsaccountlock attribute retrieval in the `pre_callback` and process it in the `post_callback`. nsaccountlock is an operational attribute so it needs to be requested explicitly. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283723205 From freeipa-github-notification at redhat.com Fri Mar 3 02:57:54 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Fri, 03 Mar 2017 03:57:54 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package LiptonB commented: """ Oops, sorry about the breakage. This seems fine to me, although I hadn't really been thinking of the templates and rules as data files. They're intended to be possible to modify, more like config files. (Come to think of it, `/usr/share` wasn't that appropriate for them either). So, that and the fact that they're now duplicated between `python2.*/site-packages` and `python3.*/site-packages` give me pause (especially if the user might edit them), but I don't have strong feelings about it. """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-283851563 From freeipa-github-notification at redhat.com Fri Mar 3 07:01:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 08:01:15 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package tiran commented: """ In my opinion, a user should never modify a file that managed by a package manager and not explicitly marked as a config file. Both files in ```/usr/share``` and ```site-packages``` are not config files. How about http://jinja.pocoo.org/docs/2.9/api/#jinja2.ChoiceLoader and this idea? ``` loader = jinja2.ChoiceLoader( jinja2.FileSystemLoader(os.path.join(api.env.conf_dir, 'csrgen/templates')), jinja2.PackageLoader('ipaclient', 'csrgen/templates'), ) ``` This allows users to override the templates by copying them to ```/etc/ipa/csrgen/templates```. We'd need similar code for the JSON files, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-283881532 From freeipa-github-notification at redhat.com Fri Mar 3 07:34:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 08:34:04 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package tiran commented: """ In my opinion, a user should never modify a file that managed by a package manager and not explicitly marked as a config file. Both files in ```/usr/share``` and ```site-packages``` are not config files. How about http://jinja.pocoo.org/docs/2.9/api/#jinja2.ChoiceLoader and this idea? ``` loader = jinja2.ChoiceLoader( jinja2.FileSystemLoader(os.path.join(api.env.conf_dir, 'csrgen/templates')), jinja2.PackageLoader('ipaclient', 'csrgen/templates'), ) ``` This allows users to override the templates by copying them to ```/etc/ipa/csrgen/templates```. We'd need similar code for the JSON files, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-283881532 From freeipa-github-notification at redhat.com Fri Mar 3 07:36:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 08:36:47 +0100 Subject: [Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Author: tiran Title: #534: Move csrgen templates into ipaclient package Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/534/head:pr534 git checkout pr534 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-534.patch Type: text/x-diff Size: 30088 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 09:49:06 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 03 Mar 2017 10:49:06 +0100 Subject: [Freeipa-devel] [freeipa PR#536][opened] ipa systemd unit should define Wants=network instead of Requires=network Message-ID: URL: https://github.com/freeipa/freeipa/pull/536 Author: flo-renaud Title: #536: ipa systemd unit should define Wants=network instead of Requires=network Action: opened PR body: """ The file ipa.service defines Requires=network.target which means that ipa stack will be restarted each time the network stack is restarted. This is not needed, and Wants=network.target will be sufficient. https://fedorahosted.org/freeipa/ticket/6723 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/536/head:pr536 git checkout pr536 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-536.patch Type: text/x-diff Size: 913 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 10:42:44 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Fri, 03 Mar 2017 11:42:44 +0100 Subject: [Freeipa-devel] [freeipa PR#537][opened] test_csrgen: adjusted comparison test scripts for CSRGenerator Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: opened PR body: """ Commit ada91c2 introduced changes in "csrgen/templates/openssl_base.tmpl" which broke the following 2 tests: test_CSRGenerator.test_userCert_OpenSSL test_CSRGenerator.test_caIPAserviceCert_OpenSSL The tests use files caIPAserviceCert_openssl.sh and userCert_openssl.sh as expected scripts in order to compare scripts generated by CSRGenerator. E.g. as other parameter was introduced we are now not checking with "if [[ $# -ne 2 ]]" but rather with if "[[ $# -lt 2 ]]". https://pagure.io/freeipa/issue/6724 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-537.patch Type: text/x-diff Size: 2777 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 10:46:15 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 03 Mar 2017 11:46:15 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping flo-renaud commented: """ Hi @pvomacka thank you, LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-283923415 From freeipa-github-notification at redhat.com Fri Mar 3 11:09:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:09:42 +0100 Subject: [Freeipa-devel] [freeipa PR#523][+ack] cert-request: minor refactors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/523 Title: #523: cert-request: minor refactors Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 11:12:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:12:59 +0100 Subject: [Freeipa-devel] [freeipa PR#523][+pushed] cert-request: minor refactors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/523 Title: #523: cert-request: minor refactors Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 3 11:13:01 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:13:01 +0100 Subject: [Freeipa-devel] [freeipa PR#523][comment] cert-request: minor refactors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/523 Title: #523: cert-request: minor refactors tomaskrizek commented: """ master: * 2066a80be21258d9311ae374fe124d9ac3b79acd Remove redundant principal_type argument * 11c9df25774fbc8ed24b30f75c205d12ca3c5b90 Extract method to map principal to princpal type """ See the full comment at https://github.com/freeipa/freeipa/pull/523#issuecomment-283928618 From freeipa-github-notification at redhat.com Fri Mar 3 11:13:02 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:13:02 +0100 Subject: [Freeipa-devel] [freeipa PR#523][closed] cert-request: minor refactors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/523 Author: frasertweedale Title: #523: cert-request: minor refactors Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/523/head:pr523 git checkout pr523 From freeipa-github-notification at redhat.com Fri Mar 3 11:21:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:21:52 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ Issues found by @HonzaCholasta were addressed and no one has raised any serious concern that this patch should not be accepted. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283930193 From freeipa-github-notification at redhat.com Fri Mar 3 11:21:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:21:56 +0100 Subject: [Freeipa-devel] [freeipa PR#502][+ack] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 11:31:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 12:31:11 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tomaskrizek commented: """ @tiran Needs rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283931719 From freeipa-github-notification at redhat.com Fri Mar 3 11:52:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 12:52:13 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6675 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 11:58:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 12:58:02 +0100 Subject: [Freeipa-devel] [freeipa PR#538][opened] Run test_ipaclient test suite Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Author: tiran Title: #538: Run test_ipaclient test suite Action: opened PR body: """ Depends on PR #537 to fix the test suite first. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/538/head:pr538 git checkout pr538 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-538.patch Type: text/x-diff Size: 645 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 12:13:13 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 03 Mar 2017 13:13:13 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ I am still expect some comment from @rcritten LS """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283938711 From freeipa-github-notification at redhat.com Fri Mar 3 12:18:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:18:40 +0100 Subject: [Freeipa-devel] [freeipa PR#502][-ack] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: -ack From freeipa-github-notification at redhat.com Fri Mar 3 12:26:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:26:55 +0100 Subject: [Freeipa-devel] [freeipa PR#507][+ack] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 12:34:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:34:34 +0100 Subject: [Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag tomaskrizek commented: """ master: * d1c5d92897d3e262edd2e43295c1270590aebd3d Use https to get security domain from Dogtag """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-283942370 From freeipa-github-notification at redhat.com Fri Mar 3 12:34:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:34:36 +0100 Subject: [Freeipa-devel] [freeipa PR#507][+pushed] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 3 12:34:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:34:37 +0100 Subject: [Freeipa-devel] [freeipa PR#507][closed] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Author: tiran Title: #507: Use https to get security domain from Dogtag Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/507/head:pr507 git checkout pr507 From freeipa-github-notification at redhat.com Fri Mar 3 12:40:37 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 03 Mar 2017 13:40:37 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @abbra , Thanks for your comment. Running in permissive mode I did not see any AVC logged in the journal. @HonzaCholasta thanks for the tips re. writing API. I have followed your advice and made certificate a positional argument. The output will look like this: ``` --------------- 2 users matched --------------- Domain: DOM-076.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Usernames: user1, user2 ---------------------------- Number of entries returned 2 ---------------------------- ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283642083 From freeipa-github-notification at redhat.com Fri Mar 3 12:44:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 03 Mar 2017 13:44:17 +0100 Subject: [Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag tomaskrizek commented: """ If backport for 4.4 is needed, please open another PR against `ipa-4-4`. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-283944069 From freeipa-github-notification at redhat.com Fri Mar 3 13:12:08 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 03 Mar 2017 14:12:08 +0100 Subject: [Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find flo-renaud commented: """ Hi @pvomacka , thank you, the fix works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/519#issuecomment-283949286 From freeipa-github-notification at redhat.com Fri Mar 3 13:12:18 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 03 Mar 2017 14:12:18 +0100 Subject: [Freeipa-devel] [freeipa PR#519][+ack] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 13:12:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 14:12:49 +0100 Subject: [Freeipa-devel] [freeipa PR#538][synchronized] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Author: tiran Title: #538: Run test_ipaclient test suite Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/538/head:pr538 git checkout pr538 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-538.patch Type: text/x-diff Size: 3431 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 15:10:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 03 Mar 2017 16:10:09 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ I like the second approach better. If you squash the commits I will Ack the PR. I still think we need a substantial reorganization of the test suites but that needs more consideration and time. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-283978683 From lslebodn at redhat.com Fri Mar 3 16:07:52 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 3 Mar 2017 17:07:52 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time Message-ID: <20170303160751.GA31266@10.4.128.1> ehlo, This is a small continuation fo discussin from pull request "Make pylint and jsl optional" #502[1] Pylint and jslint are already optional because some downstream distributions does not have such packages. This is a reason why desing document[2] mention configuration options for disabling them. --disable-pylint --without-jslint Previusly (4.4) "pylint was executed" before building rpm packages. This strict requirement was changed because "make lint" is executed with each pull request in travis. It was changed in commits master: * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock The main intention of PR#502 [1] is to make it even more optional and do not fail if pylint is not installed on machine. In another words, changing default value from "yes" to "autodetect". I think the main reason is that it is not obvious that it is an optional dependency if you run just "./configure". But that can be improved with better error message. @see attachments. checking if source directory is a Git reposistory... yes checking for more warnings... no checking for Pylint... /usr/bin/python: No module named pylint configure: error: cannot find pylint for /usr/bin/python Cristian wrote some explanation in pull request: Rational: pylint and jsl are not required to build FreeIPA. Both are useful developer tools. It's more user friendly to make both components optionally with default config arguments. There is no reason to fail building on a build system without development tools. But there is also another opinion. pylint/jslint is not usefull just for developers but also for packagers. I would personally encourage packagers to run pylint as part of build. (it took just 2 minutes on my laptop 8 CPUs) Pylint/jslint should check typical issues in downstream only patches or with backported patches. My experience with optional dependencies for unit tests is that packagers tend to remove them in case of failure in tests and then forget to return back with next release because it is optional. This is a reason why explicit ./configure --disable-pylint will be a reminder for them to try run "make lint" with next release. Cristian's version will not affect fedora developers because there is recommendation to install all required dependencies for running "make lint" dnf builddep -b -D "with_lint 1" --spec freeipa.spec.in However, there is not such simple way for other distributions debian unstable[3]/ubuntu 16.04/openSUSE[4]. This is a reason why I would prefer to keep default vaue to "yes" and just improve error message. It will remind packagers/developers to run lint. It does not force them to run it. So the main question is whether we want to change default for configure time options --enable-pylint --enable-jslint. LS [1] https://github.com/freeipa/freeipa/pull/502 [2] http://www.freeipa.org/page/V4/Build_system_refactoring [3] https://anonscm.debian.org/cgit/pkg-freeipa/freeipa.git [4] https://en.opensuse.org/Portal:FreeIPA From lslebodn at redhat.com Fri Mar 3 16:09:34 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 3 Mar 2017 17:09:34 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <20170303160751.GA31266@10.4.128.1> References: <20170303160751.GA31266@10.4.128.1> Message-ID: <20170303160932.GB31266@10.4.128.1> On (03/03/17 17:07), Lukas Slebodnik wrote: >ehlo, > >This is a small continuation fo discussin from pull request >"Make pylint and jsl optional" #502[1] > >Pylint and jslint are already optional because some downstream distributions >does not have such packages. This is a reason why desing document[2] >mention configuration options for disabling them. > --disable-pylint --without-jslint > >Previusly (4.4) "pylint was executed" before building rpm packages. >This strict requirement was changed because "make lint" is executed >with each pull request in travis. > >It was changed in commits >master: > >* 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >* 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >* b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock > >The main intention of PR#502 [1] is to make it even more optional >and do not fail if pylint is not installed on machine. >In another words, changing default value from "yes" to "autodetect". >I think the main reason is that it is not obvious that it is an optional >dependency if you run just "./configure". But that can be improved with >better error message. @see attachments. > And with missing attachment :-) LS -------------- next part -------------- diff --git a/configure.ac b/configure.ac index 31bfa8aaf..fee39fe4f 100644 --- a/configure.ac +++ b/configure.ac @@ -384,7 +384,10 @@ if test x$PYLINT != xno; then AC_MSG_CHECKING([for Pylint]) $PYTHON -m pylint --version > /dev/null if test "$?" != "0"; then - AC_MSG_ERROR([cannot find pylint for $PYTHON]) + AC_MSG_ERROR([cannot find pylint for $PYTHON +This feature is optional and aimed for checking issues in python code. +You can skip this check wich configure time option --disable-pylint. + ]) else AC_MSG_RESULT([yes]) fi @@ -402,7 +405,10 @@ dnl --without-jslint will set JSLINT=no [AC_PATH_PROG([JSLINT], [jsl])] ) if test "x${JSLINT}" == "x"; then - AC_MSG_ERROR([cannot find JS lint]) + AC_MSG_ERROR([cannot find JS lint +This feature is optional and aimed for web ui developers. +You can skip this check wich configure time option --without-jslint + ]) fi AC_SUBST([JSLINT]) AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"]) From freeipa-github-notification at redhat.com Fri Mar 3 16:16:49 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Fri, 03 Mar 2017 17:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#537][synchronized] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-537.patch Type: text/x-diff Size: 2738 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 16:24:25 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 03 Mar 2017 17:24:25 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing apophys commented: """ Hi, can this PR get little more attention? The issue seems to be a cause for a lot of failures in our integration tests. (I'm not 100% sure though) """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283999510 From freeipa-github-notification at redhat.com Fri Mar 3 16:30:19 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Fri, 03 Mar 2017 17:30:19 +0100 Subject: [Freeipa-devel] [freeipa PR#537][synchronized] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-537.patch Type: text/x-diff Size: 2737 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 17:12:29 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 03 Mar 2017 18:12:29 +0100 Subject: [Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator apophys commented: """ Ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284012793 From freeipa-github-notification at redhat.com Fri Mar 3 17:12:44 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 03 Mar 2017 18:12:44 +0100 Subject: [Freeipa-devel] [freeipa PR#537][+ack] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 17:12:50 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 03 Mar 2017 18:12:50 +0100 Subject: [Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator apophys commented: """ Ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284012793 From freeipa-github-notification at redhat.com Fri Mar 3 19:41:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 03 Mar 2017 20:41:31 +0100 Subject: [Freeipa-devel] [freeipa PR#538][synchronized] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Author: tiran Title: #538: Run test_ipaclient test suite Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/538/head:pr538 git checkout pr538 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-538.patch Type: text/x-diff Size: 3431 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 3 20:01:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 03 Mar 2017 21:01:21 +0100 Subject: [Freeipa-devel] [freeipa PR#532][+ack] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing Label: +ack From freeipa-github-notification at redhat.com Fri Mar 3 20:01:36 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 03 Mar 2017 21:01:36 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ LGTM, please merge """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-284055799 From rcritten at redhat.com Fri Mar 3 20:22:05 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Mar 2017 15:22:05 -0500 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <20170303160932.GB31266@10.4.128.1> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> Message-ID: <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> Lukas Slebodnik wrote: > On (03/03/17 17:07), Lukas Slebodnik wrote: >> ehlo, >> >> This is a small continuation fo discussin from pull request >> "Make pylint and jsl optional" #502[1] >> >> Pylint and jslint are already optional because some downstream distributions >> does not have such packages. This is a reason why desing document[2] >> mention configuration options for disabling them. >> --disable-pylint --without-jslint >> >> Previusly (4.4) "pylint was executed" before building rpm packages. >> This strict requirement was changed because "make lint" is executed >> with each pull request in travis. >> >> It was changed in commits >> master: >> >> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >> >> The main intention of PR#502 [1] is to make it even more optional >> and do not fail if pylint is not installed on machine. >> In another words, changing default value from "yes" to "autodetect". >> I think the main reason is that it is not obvious that it is an optional >> dependency if you run just "./configure". But that can be improved with >> better error message. @see attachments. I was going to go into a history of why it was required (we pushed broken changes into master) but in retrospect that doesn't really matter. I've been out of mainline development for some time so don't know your current processes, but I do have a question: Is it expected that ./configure && make && make install will result in the bits in all the right places? We never had that expectation before though I know Christian has been moving in that direction. Is that an end goal? It would be nice for developing in-tree and pushing out micro changes onto the current, live development system. If so, does it have checks for all the runtime dependencies or will you still have to do a bunch of work afterward the make install? I've seen discussions about making freeIPA more accessible to the average developer, which is good, but it is just so more complex than the typical software because it is more about integration than most big projects. So I don't know that this is every going to really be true. Will it help the average dev install it? Sure, but then what? Will you support such an install? If you want to disable the checks for *lint that is certainly your prerogative but I see some downsides: - I used to setup new dev systems all the time and this is definitely something I'd forget to do with some frequency - As I understand it the checks will be executed by upstream before a change is accepted so that's good but it adds a huge delay and the requirement of a roundtrip to fix simple mistakes (happens all the time in OpenStack). I think my question boils down to how many people will this actually benefit vs how much time will be lost resubmitting patches? I don't think there is an easy answer for the first part but from my own experience I'd expect fairly regularly for lint and pep8 errors. On the other hand I guess this also will have the additional advantage that make rpms will be significantly faster if you don't enable them. The --disable vs --without is what bugs me most about the current situation :-) So in closing I'd just say that we made those checks mandatory for a reason. Maybe that reason is no longer applicable with all the current automation but I'd personally prefer Lukas's suggestion of requiring them by default but providing clear output on how to disable them if desired. This way the average user can easily work around it and it won't impact current developers (unless they want it to). Is that as simple as configure; make; make install? No, but it isn't a huge leap either. rob From freeipa-github-notification at redhat.com Mon Mar 6 02:24:59 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 06 Mar 2017 03:24:59 +0100 Subject: [Freeipa-devel] [freeipa PR#539][opened] Define errors_by_code in ipalib.errors Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Author: frasertweedale Title: #539: Define errors_by_code in ipalib.errors Action: opened PR body: """ The errors_by_code mapping will soon be used in more places, as part of the Dogtag GSS-API authentication work. Move its definition to ipalib.errors. Part of: https://pagure.io/freeipa/issue/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/539/head:pr539 git checkout pr539 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-539.patch Type: text/x-diff Size: 1692 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 03:00:34 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 06 Mar 2017 04:00:34 +0100 Subject: [Freeipa-devel] [freeipa PR#540][opened] rabase.get_certificate: make serial number arg mandatory Message-ID: URL: https://github.com/freeipa/freeipa/pull/540 Author: frasertweedale Title: #540: rabase.get_certificate: make serial number arg mandatory Action: opened PR body: """ In rabase.get_certificate it does not make sense for the serial_number argument to be optional. Make it a mandatory positional argument. Part of: https://pagure.io/freeipa/issue/3473 Part of: https://pagure.io/freeipa/issue/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/540/head:pr540 git checkout pr540 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-540.patch Type: text/x-diff Size: 1497 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 06:20:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 07:20:46 +0100 Subject: [Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-531.patch Type: text/x-diff Size: 4331 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 06:21:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 07:21:50 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias HonzaCholasta commented: """ Updated to use `modutil -disable` which works even on mod_nss reinstall. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-284312430 From mbabinsk at redhat.com Mon Mar 6 06:47:36 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 6 Mar 2017 07:47:36 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488462844.10234.64.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> Message-ID: <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> On 03/02/2017 02:54 PM, Simo Sorce wrote: > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >> In this case it would probably be a good idea to think about "forward >> compatibility" and define a new AUX objectclass bringing in >> 'ipaDomainResolutionOrder' instead of extending two separate >> objectclasses. In this way we may the just extend whathever object we >> desire to carry the override in an easy and clean way. > > I agree. > Simo. > Now the most difficult question remains... How to name this objectclass. I personally am out of ideas but will try my best to come up with something meaningful. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Mon Mar 6 07:09:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 08:09:49 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands HonzaCholasta commented: """ @abbra, the issue is not that the attribute is not requested (it is in fast always requested in user commands), it is that when the attribute is not set on a user entry (that's right, the attribute is *not* operational in 389 DS), the entry will not be returned in `ipa user-find --disabled=0`, which might be surprising to the user. @redhatrises, the framework fix would be to update `LDAPSearch.get_attr_filter()` to handle the "search for the default value" case, off the top of my head it should be something like this: ```python def get_attr_filter(self, ldap, **options): """ Returns a MATCH_ALL filter containing all required attributes from the options """ search_kw = self.args_options_2_entry(**options) search_kw['objectclass'] = self.obj.object_class default_kw = self.get_default(**options) filters = [] for name, value in search_kw.items(): flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL) if name in default_kw and value == default_kw[name]: # default value search, check also for non-present attribute flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)]) filters.append(flt) return ldap.combine_filters(filters, ldap.MATCH_ALL) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284318835 From freeipa-github-notification at redhat.com Mon Mar 6 07:17:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 08:17:27 +0100 Subject: [Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors HonzaCholasta commented: """ The codes are only relevant for XML-RPC. Why do you need them? """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-284319912 From freeipa-github-notification at redhat.com Mon Mar 6 07:21:56 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 06 Mar 2017 08:21:56 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ The nsaccountlock *is* virtual attribute in 389-ds: attributeTypes: ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock' DESC 'Operational attribute for Account Inactivation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN 'Netscape Directory Server' ) Notice `USAGE directoryOperation` in the attribute definition. It is treated as a virtual one everywhere in the code but nothing sets it. It is supposed to be set via nsRole and CoS template. See ns-activate.pl/ns-inactivate.pl/ns-accountstatus.pl in 389-ds for external manipulation of it. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284320588 From freeipa-github-notification at redhat.com Mon Mar 6 07:42:25 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 08:42:25 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands HonzaCholasta commented: """ I see, I assumed that it's not operational because it's not always set. I stand corrected, but this information does not change anything in respect to the default value search issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284323770 From freeipa-github-notification at redhat.com Mon Mar 6 08:04:18 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 06 Mar 2017 09:04:18 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ You are correct in the fact that the search filter need to be modified to allow matching entries without nsAccountLock attribute set. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284327327 From freeipa-github-notification at redhat.com Mon Mar 6 08:14:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 06 Mar 2017 09:14:31 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals martbab commented: """ @abbra can you also have a quick look at this PR if it is OK from the trusted user login perspective? """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-284329271 From slaznick at redhat.com Mon Mar 6 08:53:33 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Mon, 6 Mar 2017 09:53:33 +0100 Subject: [Freeipa-devel] gssproxy-0.6.2-2 broken Message-ID: <384bdf07-d6e0-57f6-850e-b42d63141496@redhat.com> Hello, Current gssproxy in Fedora 25 "updates" repository (gssproxy-0.6.2-2) is broken. For a freshly-installed IPA server, the infamous error "ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598845123): No credentials cache found" will appear. 100% reproducible. Please use the gssproxy-0.6.2-1 from @freeipa/freeipa-master repository instead. Note that downgrade + gssproxy service restart works. Cheers, Standa From freeipa-github-notification at redhat.com Mon Mar 6 09:14:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 10:14:26 +0100 Subject: [Freeipa-devel] [freeipa PR#504][+ack] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints Label: +ack From freeipa-github-notification at redhat.com Mon Mar 6 10:32:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 11:32:44 +0100 Subject: [Freeipa-devel] [freeipa PR#504][-ack] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints Label: -ack From freeipa-github-notification at redhat.com Mon Mar 6 10:36:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 11:36:38 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ Please transform `sha256_fingerprint:` into `Fingerprint (SHA1):` ``` $ ipa cert-show --all Serial number: 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Issuer: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Not Before: Mon Mar 06 08:57:45 2017 UTC Not After: Fri Mar 06 08:57:45 2037 UTC **Fingerprint (SHA1):** 25:ea:cb:01:48:68:9e:8d:1c:25:ac:2c:92:d9:75:3f:0a:45:97:2d Serial number: 1 Serial number (hex): 0x1 Revoked: False **sha256_fingerprint:** af:09:dd:ae:66:74:cf:af:e2:4f:25:4d:2f:73:4e:a6:f4:d6:f8:32:c4:48:8e:e7:d9:fa:c6:1f:42:f3:09:c4 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284360401 From freeipa-github-notification at redhat.com Mon Mar 6 10:37:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 11:37:52 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ Please transform `sha256_fingerprint:` into `Fingerprint (SHA1):` ``` $ ipa cert-show --all Serial number: 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Issuer: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Not Before: Mon Mar 06 08:57:45 2017 UTC Not After: Fri Mar 06 08:57:45 2037 UTC **Fingerprint (SHA1):** 25:ea:cb:01:48:68:9e:8d:1c:25:ac:2c:92:d9:75:3f:0a:45:97:2d Serial number: 1 Serial number (hex): 0x1 Revoked: False **sha256_fingerprint:** af:09:dd:ae:66:74:cf:af:e2:4f:25:4d:2f:73:4e:a6:f4:d6:f8:32:c4:48:8e:e7:d9:fa:c6:1f:42:f3:09:c4 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284360401 From freeipa-github-notification at redhat.com Mon Mar 6 10:38:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 11:38:15 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ Please transform `sha256_fingerprint:` into `Fingerprint (SHA-256):` ``` $ ipa cert-show --all Serial number: 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Issuer: CN=Certificate Authority,O=DOM-245.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Not Before: Mon Mar 06 08:57:45 2017 UTC Not After: Fri Mar 06 08:57:45 2037 UTC **Fingerprint (SHA1):** 25:ea:cb:01:48:68:9e:8d:1c:25:ac:2c:92:d9:75:3f:0a:45:97:2d Serial number: 1 Serial number (hex): 0x1 Revoked: False **sha256_fingerprint:** af:09:dd:ae:66:74:cf:af:e2:4f:25:4d:2f:73:4e:a6:f4:d6:f8:32:c4:48:8e:e7:d9:fa:c6:1f:42:f3:09:c4 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284360401 From freeipa-github-notification at redhat.com Mon Mar 6 10:39:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 11:39:37 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 14799 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 10:42:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 11:42:35 +0100 Subject: [Freeipa-devel] [freeipa PR#532][+pushed] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 6 10:42:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 11:42:36 +0100 Subject: [Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing HonzaCholasta commented: """ master: * 24eeb4d6a3be678d652247a4a862ffde037514da Fix cookie with Max-Age processing """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-284361733 From freeipa-github-notification at redhat.com Mon Mar 6 10:42:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 11:42:38 +0100 Subject: [Freeipa-devel] [freeipa PR#532][closed] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/532 Author: stlaz Title: #532: Fix cookie with Max-Age processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/532/head:pr532 git checkout pr532 From freeipa-github-notification at redhat.com Mon Mar 6 10:45:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 11:45:37 +0100 Subject: [Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client HonzaCholasta commented: """ Calling `vaultconfig_show` now refreshes the cache, you can call it to download and cache the certificate in the main process. """ See the full comment at https://github.com/freeipa/freeipa/pull/476#issuecomment-284362437 From freeipa-github-notification at redhat.com Mon Mar 6 11:26:23 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Mar 2017 12:26:23 +0100 Subject: [Freeipa-devel] [freeipa PR#541][opened] We don't offer no quickies Message-ID: URL: https://github.com/freeipa/freeipa/pull/541 Author: stlaz Title: #541: We don't offer no quickies Action: opened PR body: """ It's not our main priority as developers to offer any forms of quickies nor guides on how to perform them. http://www.urbandictionary.com/define.php?term=quickie """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/541/head:pr541 git checkout pr541 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-541.patch Type: text/x-diff Size: 646 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 12:09:35 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 06 Mar 2017 13:09:35 +0100 Subject: [Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ @HonzaCholasta when Dogtag execute the existing cert-request validation logic (which will be extracted to a new function), if an exception gets raised Dogtag returns it in the response, and IPA reconstructs it, so that there is no change to the user experience. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-284379517 From freeipa-github-notification at redhat.com Mon Mar 6 12:10:02 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 06 Mar 2017 13:10:02 +0100 Subject: [Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ @HonzaCholasta when Dogtag execute the existing cert-request validation logic (which will be extracted to a new function), if an exception gets raised Dogtag returns it in the response, and IPA reconstructs it, so that there is no change to the user experience. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-284379517 From freeipa-github-notification at redhat.com Mon Mar 6 12:12:57 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 06 Mar 2017 13:12:57 +0100 Subject: [Freeipa-devel] [freeipa PR#541][+ack] We don't offer no quickies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/541 Title: #541: We don't offer no quickies Label: +ack From freeipa-github-notification at redhat.com Mon Mar 6 12:13:42 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 06 Mar 2017 13:13:42 +0100 Subject: [Freeipa-devel] [freeipa PR#541][comment] We don't offer no quickies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/541 Title: #541: We don't offer no quickies dkupka commented: """ master: * 30d7c210a4d153fcb5007651a80d8d53512abba3 We don't offer no quickies """ See the full comment at https://github.com/freeipa/freeipa/pull/541#issuecomment-284380318 From freeipa-github-notification at redhat.com Mon Mar 6 12:13:44 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 06 Mar 2017 13:13:44 +0100 Subject: [Freeipa-devel] [freeipa PR#541][closed] We don't offer no quickies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/541 Author: stlaz Title: #541: We don't offer no quickies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/541/head:pr541 git checkout pr541 From freeipa-github-notification at redhat.com Mon Mar 6 12:13:46 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 06 Mar 2017 13:13:46 +0100 Subject: [Freeipa-devel] [freeipa PR#541][+pushed] We don't offer no quickies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/541 Title: #541: We don't offer no quickies Label: +pushed From tkrizek at redhat.com Mon Mar 6 12:35:09 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 6 Mar 2017 13:35:09 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> Message-ID: <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> On 03/03/2017 09:22 PM, Rob Crittenden wrote: > Lukas Slebodnik wrote: >> On (03/03/17 17:07), Lukas Slebodnik wrote: >>> ehlo, >>> >>> This is a small continuation fo discussin from pull request >>> "Make pylint and jsl optional" #502[1] >>> >>> Pylint and jslint are already optional because some downstream distributions >>> does not have such packages. This is a reason why desing document[2] >>> mention configuration options for disabling them. >>> --disable-pylint --without-jslint >>> >>> Previusly (4.4) "pylint was executed" before building rpm packages. >>> This strict requirement was changed because "make lint" is executed >>> with each pull request in travis. >>> >>> It was changed in commits >>> master: >>> >>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>> >>> The main intention of PR#502 [1] is to make it even more optional >>> and do not fail if pylint is not installed on machine. >>> In another words, changing default value from "yes" to "autodetect". >>> I think the main reason is that it is not obvious that it is an optional >>> dependency if you run just "./configure". But that can be improved with >>> better error message. @see attachments. > I was going to go into a history of why it was required (we pushed > broken changes into master) but in retrospect that doesn't really > matter. I've been out of mainline development for some time so don't > know your current processes, but I do have a question: > > Is it expected that ./configure && make && make install will result in > the bits in all the right places? We never had that expectation before > though I know Christian has been moving in that direction. Is that an > end goal? It would be nice for developing in-tree and pushing out micro > changes onto the current, live development system. If you provide correct paths to ./configure, yes - make && make install will place all the bits in the right places. I commonly use it with DESTDIR and sshfs, so I can develop locally and deploy to a remote machine without building RPMs. > If so, does it have checks for all the runtime dependencies or will you > still have to do a bunch of work afterward the make install? It doesn't check runtime dependencies. I install the freeipa rpms once to install dependencies and then use make && make install. > I've seen discussions about making freeIPA more accessible to the > average developer, which is good, but it is just so more complex than > the typical software because it is more about integration than most big > projects. So I don't know that this is every going to really be true. > Will it help the average dev install it? Sure, but then what? Will you > support such an install? > > If you want to disable the checks for *lint that is certainly your > prerogative but I see some downsides: > > - I used to setup new dev systems all the time and this is definitely > something I'd forget to do with some frequency > - As I understand it the checks will be executed by upstream before a > change is accepted so that's good but it adds a huge delay and the > requirement of a roundtrip to fix simple mistakes (happens all the time > in OpenStack). On-PR checks can handle this. When you need to fix a linter issue, you can install the dependencies and run make lint locally. > I think my question boils down to how many people will this actually > benefit vs how much time will be lost resubmitting patches? I don't > think there is an easy answer for the first part but from my own > experience I'd expect fairly regularly for lint and pep8 errors. If someone often has this issue, the workflow can be modified to address it. For example, I've configured my repo to run to run pylint and pep8 on the modified files before the commit. > On the other hand I guess this also will have the additional advantage > that make rpms will be significantly faster if you don't enable them. > > The --disable vs --without is what bugs me most about the current > situation :-) > > So in closing I'd just say that we made those checks mandatory for a > reason. Maybe that reason is no longer applicable with all the current > automation but I'd personally prefer Lukas's suggestion of requiring > them by default but providing clear output on how to disable them if > desired. This way the average user can easily work around it and it > won't impact current developers (unless they want it to). Is that as > simple as configure; make; make install? No, but it isn't a huge leap > either. > > rob > I prefer Christian's approach that makes the project more upstream-friendly. I think changing the default from "yes" to "autodetect" negatively affects packagers, but it makes it more accessible to upstream developers. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From lslebodn at redhat.com Mon Mar 6 12:44:39 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 6 Mar 2017 13:44:39 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> Message-ID: <20170306124437.GD13530@10.4.128.1> On (06/03/17 13:35), Tomas Krizek wrote: >On 03/03/2017 09:22 PM, Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>> ehlo, >>>> >>>> This is a small continuation fo discussin from pull request >>>> "Make pylint and jsl optional" #502[1] >>>> >>>> Pylint and jslint are already optional because some downstream distributions >>>> does not have such packages. This is a reason why desing document[2] >>>> mention configuration options for disabling them. >>>> --disable-pylint --without-jslint >>>> >>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>> This strict requirement was changed because "make lint" is executed >>>> with each pull request in travis. >>>> >>>> It was changed in commits >>>> master: >>>> >>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>> >>>> The main intention of PR#502 [1] is to make it even more optional >>>> and do not fail if pylint is not installed on machine. >>>> In another words, changing default value from "yes" to "autodetect". >>>> I think the main reason is that it is not obvious that it is an optional >>>> dependency if you run just "./configure". But that can be improved with >>>> better error message. @see attachments. >> I was going to go into a history of why it was required (we pushed >> broken changes into master) but in retrospect that doesn't really >> matter. I've been out of mainline development for some time so don't >> know your current processes, but I do have a question: >> >> Is it expected that ./configure && make && make install will result in >> the bits in all the right places? We never had that expectation before >> though I know Christian has been moving in that direction. Is that an >> end goal? It would be nice for developing in-tree and pushing out micro >> changes onto the current, live development system. >If you provide correct paths to ./configure, yes - make && make install >will place all the bits in the right places. I commonly use it with >DESTDIR and sshfs, so I can develop locally and deploy to a remote >machine without building RPMs. >> If so, does it have checks for all the runtime dependencies or will you >> still have to do a bunch of work afterward the make install? >It doesn't check runtime dependencies. I install the freeipa rpms once >to install dependencies and then use make && make install. >> I've seen discussions about making freeIPA more accessible to the >> average developer, which is good, but it is just so more complex than >> the typical software because it is more about integration than most big >> projects. So I don't know that this is every going to really be true. >> Will it help the average dev install it? Sure, but then what? Will you >> support such an install? >> >> If you want to disable the checks for *lint that is certainly your >> prerogative but I see some downsides: >> >> - I used to setup new dev systems all the time and this is definitely >> something I'd forget to do with some frequency >> - As I understand it the checks will be executed by upstream before a >> change is accepted so that's good but it adds a huge delay and the >> requirement of a roundtrip to fix simple mistakes (happens all the time >> in OpenStack). >On-PR checks can handle this. When you need to fix a linter issue, you >can install the dependencies and run make lint locally. >> I think my question boils down to how many people will this actually >> benefit vs how much time will be lost resubmitting patches? I don't >> think there is an easy answer for the first part but from my own >> experience I'd expect fairly regularly for lint and pep8 errors. >If someone often has this issue, the workflow can be modified to address >it. For example, I've configured my repo to run to run pylint and pep8 >on the modified files before the commit. >> On the other hand I guess this also will have the additional advantage >> that make rpms will be significantly faster if you don't enable them. >> >> The --disable vs --without is what bugs me most about the current >> situation :-) >> >> So in closing I'd just say that we made those checks mandatory for a >> reason. Maybe that reason is no longer applicable with all the current >> automation but I'd personally prefer Lukas's suggestion of requiring >> them by default but providing clear output on how to disable them if >> desired. This way the average user can easily work around it and it >> won't impact current developers (unless they want it to). Is that as >> simple as configure; make; make install? No, but it isn't a huge leap >> either. >> >> rob >> >I prefer Christian's approach that makes the project more upstream-friendly. > Could you explain what does "more upstream-friendly" mean? It seems that we have different opinion what does it mean. >I think changing the default from "yes" to "autodetect" negatively >affects packagers, but it makes it more accessible to upstream developers. > I know it is comfortable to rely on travis with PRs but travis does not check on debian. And I would like to know how does the current approach limit (current) upstream developers. LS From simo at redhat.com Mon Mar 6 12:48:40 2017 From: simo at redhat.com (Simo Sorce) Date: Mon, 06 Mar 2017 07:48:40 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> Message-ID: <1488804520.10234.108.camel@redhat.com> On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: > On 03/02/2017 02:54 PM, Simo Sorce wrote: > > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: > >> In this case it would probably be a good idea to think about "forward > >> compatibility" and define a new AUX objectclass bringing in > >> 'ipaDomainResolutionOrder' instead of extending two separate > >> objectclasses. In this way we may the just extend whathever object we > >> desire to carry the override in an easy and clean way. > > > > I agree. > > Simo. > > > > Now the most difficult question remains... How to name this objectclass. > I personally am out of ideas but will try my best to come up with > something meaningful. Try to describe what the option ultimately does with as few words as possible. Simo. -- Simo Sorce * Red Hat, Inc * New York From tkrizek at redhat.com Mon Mar 6 12:49:21 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 6 Mar 2017 13:49:21 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <20170306124437.GD13530@10.4.128.1> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> Message-ID: <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> On 03/06/2017 01:44 PM, Lukas Slebodnik wrote: > On (06/03/17 13:35), Tomas Krizek wrote: >> On 03/03/2017 09:22 PM, Rob Crittenden wrote: >>> Lukas Slebodnik wrote: >>>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>>> ehlo, >>>>> >>>>> This is a small continuation fo discussin from pull request >>>>> "Make pylint and jsl optional" #502[1] >>>>> >>>>> Pylint and jslint are already optional because some downstream distributions >>>>> does not have such packages. This is a reason why desing document[2] >>>>> mention configuration options for disabling them. >>>>> --disable-pylint --without-jslint >>>>> >>>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>>> This strict requirement was changed because "make lint" is executed >>>>> with each pull request in travis. >>>>> >>>>> It was changed in commits >>>>> master: >>>>> >>>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>>> >>>>> The main intention of PR#502 [1] is to make it even more optional >>>>> and do not fail if pylint is not installed on machine. >>>>> In another words, changing default value from "yes" to "autodetect". >>>>> I think the main reason is that it is not obvious that it is an optional >>>>> dependency if you run just "./configure". But that can be improved with >>>>> better error message. @see attachments. >>> I was going to go into a history of why it was required (we pushed >>> broken changes into master) but in retrospect that doesn't really >>> matter. I've been out of mainline development for some time so don't >>> know your current processes, but I do have a question: >>> >>> Is it expected that ./configure && make && make install will result in >>> the bits in all the right places? We never had that expectation before >>> though I know Christian has been moving in that direction. Is that an >>> end goal? It would be nice for developing in-tree and pushing out micro >>> changes onto the current, live development system. >> If you provide correct paths to ./configure, yes - make && make install >> will place all the bits in the right places. I commonly use it with >> DESTDIR and sshfs, so I can develop locally and deploy to a remote >> machine without building RPMs. >>> If so, does it have checks for all the runtime dependencies or will you >>> still have to do a bunch of work afterward the make install? >> It doesn't check runtime dependencies. I install the freeipa rpms once >> to install dependencies and then use make && make install. >>> I've seen discussions about making freeIPA more accessible to the >>> average developer, which is good, but it is just so more complex than >>> the typical software because it is more about integration than most big >>> projects. So I don't know that this is every going to really be true. >>> Will it help the average dev install it? Sure, but then what? Will you >>> support such an install? >>> >>> If you want to disable the checks for *lint that is certainly your >>> prerogative but I see some downsides: >>> >>> - I used to setup new dev systems all the time and this is definitely >>> something I'd forget to do with some frequency >>> - As I understand it the checks will be executed by upstream before a >>> change is accepted so that's good but it adds a huge delay and the >>> requirement of a roundtrip to fix simple mistakes (happens all the time >>> in OpenStack). >> On-PR checks can handle this. When you need to fix a linter issue, you >> can install the dependencies and run make lint locally. >>> I think my question boils down to how many people will this actually >>> benefit vs how much time will be lost resubmitting patches? I don't >>> think there is an easy answer for the first part but from my own >>> experience I'd expect fairly regularly for lint and pep8 errors. >> If someone often has this issue, the workflow can be modified to address >> it. For example, I've configured my repo to run to run pylint and pep8 >> on the modified files before the commit. >>> On the other hand I guess this also will have the additional advantage >>> that make rpms will be significantly faster if you don't enable them. >>> >>> The --disable vs --without is what bugs me most about the current >>> situation :-) >>> >>> So in closing I'd just say that we made those checks mandatory for a >>> reason. Maybe that reason is no longer applicable with all the current >>> automation but I'd personally prefer Lukas's suggestion of requiring >>> them by default but providing clear output on how to disable them if >>> desired. This way the average user can easily work around it and it >>> won't impact current developers (unless they want it to). Is that as >>> simple as configure; make; make install? No, but it isn't a huge leap >>> either. >>> >>> rob >>> >> I prefer Christian's approach that makes the project more upstream-friendly. >> > Could you explain what does "more upstream-friendly" mean? > It seems that we have different opinion what does it mean. For me, it means making the project easier to develop and install, without the need to check ./configure options or having to look for and install optional dependencies. >> I think changing the default from "yes" to "autodetect" negatively >> affects packagers, but it makes it more accessible to upstream developers. >> > I know it is comfortable to rely on travis with PRs but travis does not check > on debian. > > And I would like to know how does the current approach limit (current) upstream > developers. > > LS -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Mar 6 12:50:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 13:50:01 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 14323 bytes Desc: not available URL: From lslebodn at redhat.com Mon Mar 6 13:10:06 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 6 Mar 2017 14:10:06 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> Message-ID: <20170306131005.GF13530@10.4.128.1> On (06/03/17 13:49), Tomas Krizek wrote: >On 03/06/2017 01:44 PM, Lukas Slebodnik wrote: >> On (06/03/17 13:35), Tomas Krizek wrote: >>> On 03/03/2017 09:22 PM, Rob Crittenden wrote: >>>> Lukas Slebodnik wrote: >>>>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>>>> ehlo, >>>>>> >>>>>> This is a small continuation fo discussin from pull request >>>>>> "Make pylint and jsl optional" #502[1] >>>>>> >>>>>> Pylint and jslint are already optional because some downstream distributions >>>>>> does not have such packages. This is a reason why desing document[2] >>>>>> mention configuration options for disabling them. >>>>>> --disable-pylint --without-jslint >>>>>> >>>>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>>>> This strict requirement was changed because "make lint" is executed >>>>>> with each pull request in travis. >>>>>> >>>>>> It was changed in commits >>>>>> master: >>>>>> >>>>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>>>> >>>>>> The main intention of PR#502 [1] is to make it even more optional >>>>>> and do not fail if pylint is not installed on machine. >>>>>> In another words, changing default value from "yes" to "autodetect". >>>>>> I think the main reason is that it is not obvious that it is an optional >>>>>> dependency if you run just "./configure". But that can be improved with >>>>>> better error message. @see attachments. >>>> I was going to go into a history of why it was required (we pushed >>>> broken changes into master) but in retrospect that doesn't really >>>> matter. I've been out of mainline development for some time so don't >>>> know your current processes, but I do have a question: >>>> >>>> Is it expected that ./configure && make && make install will result in >>>> the bits in all the right places? We never had that expectation before >>>> though I know Christian has been moving in that direction. Is that an >>>> end goal? It would be nice for developing in-tree and pushing out micro >>>> changes onto the current, live development system. >>> If you provide correct paths to ./configure, yes - make && make install >>> will place all the bits in the right places. I commonly use it with >>> DESTDIR and sshfs, so I can develop locally and deploy to a remote >>> machine without building RPMs. >>>> If so, does it have checks for all the runtime dependencies or will you >>>> still have to do a bunch of work afterward the make install? >>> It doesn't check runtime dependencies. I install the freeipa rpms once >>> to install dependencies and then use make && make install. >>>> I've seen discussions about making freeIPA more accessible to the >>>> average developer, which is good, but it is just so more complex than >>>> the typical software because it is more about integration than most big >>>> projects. So I don't know that this is every going to really be true. >>>> Will it help the average dev install it? Sure, but then what? Will you >>>> support such an install? >>>> >>>> If you want to disable the checks for *lint that is certainly your >>>> prerogative but I see some downsides: >>>> >>>> - I used to setup new dev systems all the time and this is definitely >>>> something I'd forget to do with some frequency >>>> - As I understand it the checks will be executed by upstream before a >>>> change is accepted so that's good but it adds a huge delay and the >>>> requirement of a roundtrip to fix simple mistakes (happens all the time >>>> in OpenStack). >>> On-PR checks can handle this. When you need to fix a linter issue, you >>> can install the dependencies and run make lint locally. >>>> I think my question boils down to how many people will this actually >>>> benefit vs how much time will be lost resubmitting patches? I don't >>>> think there is an easy answer for the first part but from my own >>>> experience I'd expect fairly regularly for lint and pep8 errors. >>> If someone often has this issue, the workflow can be modified to address >>> it. For example, I've configured my repo to run to run pylint and pep8 >>> on the modified files before the commit. >>>> On the other hand I guess this also will have the additional advantage >>>> that make rpms will be significantly faster if you don't enable them. >>>> >>>> The --disable vs --without is what bugs me most about the current >>>> situation :-) >>>> >>>> So in closing I'd just say that we made those checks mandatory for a >>>> reason. Maybe that reason is no longer applicable with all the current >>>> automation but I'd personally prefer Lukas's suggestion of requiring >>>> them by default but providing clear output on how to disable them if >>>> desired. This way the average user can easily work around it and it >>>> won't impact current developers (unless they want it to). Is that as >>>> simple as configure; make; make install? No, but it isn't a huge leap >>>> either. >>>> >>>> rob >>>> >>> I prefer Christian's approach that makes the project more upstream-friendly. >>> >> Could you explain what does "more upstream-friendly" mean? >> It seems that we have different opinion what does it mean. >For me, it means making the project easier to develop and install, >without the need to check ./configure options or having to look for and >install optional dependencies. I am sorry but I still did not get your point. Could you a little bit ellaborate? And few related questions to the statement "easier to develop and install" A) All server part is optional. Does it mean that we should disabling server by default or autodetect all server dependencies and do not build server if they are missing? B) it is not just an optional dependency. I tried to explain in 1st mail that it should be a recomended dependency. C) Could you explain how it will be easier to develop on debian/other distribution if upstream does not recommend to run "make lint". LS From tkrizek at redhat.com Mon Mar 6 13:36:05 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 6 Mar 2017 14:36:05 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <20170306131005.GF13530@10.4.128.1> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> <20170306131005.GF13530@10.4.128.1> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/06/2017 02:10 PM, Lukas Slebodnik wrote: > On (06/03/17 13:49), Tomas Krizek wrote: >> On 03/06/2017 01:44 PM, Lukas Slebodnik wrote: >>> On (06/03/17 13:35), Tomas Krizek wrote: >>>> On 03/03/2017 09:22 PM, Rob Crittenden wrote: >>>>> Lukas Slebodnik wrote: >>>>>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>>>>> ehlo, >>>>>>> >>>>>>> This is a small continuation fo discussin from pull request >>>>>>> "Make pylint and jsl optional" #502[1] >>>>>>> >>>>>>> Pylint and jslint are already optional because some downstream distributions >>>>>>> does not have such packages. This is a reason why desing document[2] >>>>>>> mention configuration options for disabling them. >>>>>>> --disable-pylint --without-jslint >>>>>>> >>>>>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>>>>> This strict requirement was changed because "make lint" is executed >>>>>>> with each pull request in travis. >>>>>>> >>>>>>> It was changed in commits >>>>>>> master: >>>>>>> >>>>>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>>>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>>>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>>>>> >>>>>>> The main intention of PR#502 [1] is to make it even more optional >>>>>>> and do not fail if pylint is not installed on machine. >>>>>>> In another words, changing default value from "yes" to "autodetect". >>>>>>> I think the main reason is that it is not obvious that it is an optional >>>>>>> dependency if you run just "./configure". But that can be improved with >>>>>>> better error message. @see attachments. >>>>> I was going to go into a history of why it was required (we pushed >>>>> broken changes into master) but in retrospect that doesn't really >>>>> matter. I've been out of mainline development for some time so don't >>>>> know your current processes, but I do have a question: >>>>> >>>>> Is it expected that ./configure && make && make install will result in >>>>> the bits in all the right places? We never had that expectation before >>>>> though I know Christian has been moving in that direction. Is that an >>>>> end goal? It would be nice for developing in-tree and pushing out micro >>>>> changes onto the current, live development system. >>>> If you provide correct paths to ./configure, yes - make && make install >>>> will place all the bits in the right places. I commonly use it with >>>> DESTDIR and sshfs, so I can develop locally and deploy to a remote >>>> machine without building RPMs. >>>>> If so, does it have checks for all the runtime dependencies or will you >>>>> still have to do a bunch of work afterward the make install? >>>> It doesn't check runtime dependencies. I install the freeipa rpms once >>>> to install dependencies and then use make && make install. >>>>> I've seen discussions about making freeIPA more accessible to the >>>>> average developer, which is good, but it is just so more complex than >>>>> the typical software because it is more about integration than most big >>>>> projects. So I don't know that this is every going to really be true. >>>>> Will it help the average dev install it? Sure, but then what? Will you >>>>> support such an install? >>>>> >>>>> If you want to disable the checks for *lint that is certainly your >>>>> prerogative but I see some downsides: >>>>> >>>>> - I used to setup new dev systems all the time and this is definitely >>>>> something I'd forget to do with some frequency >>>>> - As I understand it the checks will be executed by upstream before a >>>>> change is accepted so that's good but it adds a huge delay and the >>>>> requirement of a roundtrip to fix simple mistakes (happens all the time >>>>> in OpenStack). >>>> On-PR checks can handle this. When you need to fix a linter issue, you >>>> can install the dependencies and run make lint locally. >>>>> I think my question boils down to how many people will this actually >>>>> benefit vs how much time will be lost resubmitting patches? I don't >>>>> think there is an easy answer for the first part but from my own >>>>> experience I'd expect fairly regularly for lint and pep8 errors. >>>> If someone often has this issue, the workflow can be modified to address >>>> it. For example, I've configured my repo to run to run pylint and pep8 >>>> on the modified files before the commit. >>>>> On the other hand I guess this also will have the additional advantage >>>>> that make rpms will be significantly faster if you don't enable them. >>>>> >>>>> The --disable vs --without is what bugs me most about the current >>>>> situation :-) >>>>> >>>>> So in closing I'd just say that we made those checks mandatory for a >>>>> reason. Maybe that reason is no longer applicable with all the current >>>>> automation but I'd personally prefer Lukas's suggestion of requiring >>>>> them by default but providing clear output on how to disable them if >>>>> desired. This way the average user can easily work around it and it >>>>> won't impact current developers (unless they want it to). Is that as >>>>> simple as configure; make; make install? No, but it isn't a huge leap >>>>> either. >>>>> >>>>> rob >>>>> >>>> I prefer Christian's approach that makes the project more upstream-friendly. >>>> >>> Could you explain what does "more upstream-friendly" mean? >>> It seems that we have different opinion what does it mean. >> For me, it means making the project easier to develop and install, >> without the need to check ./configure options or having to look for and >> install optional dependencies. > > I am sorry but I still did not get your point. Could you a little bit > ellaborate? In this case - build won't fail when you don't have the dependencies for linters. > And few related questions to the statement "easier to develop and install" > > A) All server part is optional. Does it mean that we should disabling server by > default or autodetect all server dependencies and do not build server if they > are missing? No. We're not discussing removing the server parts. > B) it is not just an optional dependency. I tried to explain in 1st mail > that it should be a recomended dependency. I agree it's recommended. > C) Could you explain how it will be easier to develop on debian/other > distribution if upstream does not recommend to run "make lint". It probably doesn't make it easier to develop for other distributions. But it may be easier for a new upstream contributor, when building the project doesn't require any extra dependencies. While I think Christian's PR has some value, I don't believe it's worth to endlessly discuss the change. Our opinions differ and I don't believe the change has a major impact whether accepted or not. I propose to either +1 or -1 Christian original comment in the PR [1] and either accept or reject it based on the majority of votes. [1] - https://github.com/freeipa/freeipa/pull/502#issue-209980292 - -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYvWXFAAoJECKiqUteSUFapAYIAMG/8v+DWD0QPxQLJXVlTPpB hvjpz+ei3xwrxQIPAvGw5X0oAa3R5GRcfC8WkilBjObVz925WHFwdurrnWd2Vwub NDVKVAuVj3Ly3N5kM90y4ASs9mYVQZkqipzaPf2CD7n8ihfExYMMdGYHxF63LhVi fuHxbhYkru3e3kmvdTkj5VUI02MYMk3ogytu3bXYPLmezsUB3WeBaurowEIpe4xK AemkewPeg/HsUf6VN2vZqLCu2vKzoGta69Kz/Hnjpt2ewalywMmNa+FAHRTxNn7A 3fRlaxoluRPMBYz2JOfxnoMo5Fr69AphxSoy2spAHLJZgpIkIEwpc6Z5jWFFh64= =hfwO -----END PGP SIGNATURE----- From cheimes at redhat.com Mon Mar 6 13:38:11 2017 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 6 Mar 2017 14:38:11 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <20170306131005.GF13530@10.4.128.1> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> <20170306131005.GF13530@10.4.128.1> Message-ID: On 2017-03-06 14:10, Lukas Slebodnik wrote: > On (06/03/17 13:49), Tomas Krizek wrote: >> On 03/06/2017 01:44 PM, Lukas Slebodnik wrote: >>> On (06/03/17 13:35), Tomas Krizek wrote: >>>> On 03/03/2017 09:22 PM, Rob Crittenden wrote: >>>>> Lukas Slebodnik wrote: >>>>>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>>>>> ehlo, >>>>>>> >>>>>>> This is a small continuation fo discussin from pull request >>>>>>> "Make pylint and jsl optional" #502[1] >>>>>>> >>>>>>> Pylint and jslint are already optional because some downstream distributions >>>>>>> does not have such packages. This is a reason why desing document[2] >>>>>>> mention configuration options for disabling them. >>>>>>> --disable-pylint --without-jslint >>>>>>> >>>>>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>>>>> This strict requirement was changed because "make lint" is executed >>>>>>> with each pull request in travis. >>>>>>> >>>>>>> It was changed in commits >>>>>>> master: >>>>>>> >>>>>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>>>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>>>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>>>>> >>>>>>> The main intention of PR#502 [1] is to make it even more optional >>>>>>> and do not fail if pylint is not installed on machine. >>>>>>> In another words, changing default value from "yes" to "autodetect". >>>>>>> I think the main reason is that it is not obvious that it is an optional >>>>>>> dependency if you run just "./configure". But that can be improved with >>>>>>> better error message. @see attachments. >>>>> I was going to go into a history of why it was required (we pushed >>>>> broken changes into master) but in retrospect that doesn't really >>>>> matter. I've been out of mainline development for some time so don't >>>>> know your current processes, but I do have a question: >>>>> >>>>> Is it expected that ./configure && make && make install will result in >>>>> the bits in all the right places? We never had that expectation before >>>>> though I know Christian has been moving in that direction. Is that an >>>>> end goal? It would be nice for developing in-tree and pushing out micro >>>>> changes onto the current, live development system. >>>> If you provide correct paths to ./configure, yes - make && make install >>>> will place all the bits in the right places. I commonly use it with >>>> DESTDIR and sshfs, so I can develop locally and deploy to a remote >>>> machine without building RPMs. >>>>> If so, does it have checks for all the runtime dependencies or will you >>>>> still have to do a bunch of work afterward the make install? >>>> It doesn't check runtime dependencies. I install the freeipa rpms once >>>> to install dependencies and then use make && make install. >>>>> I've seen discussions about making freeIPA more accessible to the >>>>> average developer, which is good, but it is just so more complex than >>>>> the typical software because it is more about integration than most big >>>>> projects. So I don't know that this is every going to really be true. >>>>> Will it help the average dev install it? Sure, but then what? Will you >>>>> support such an install? >>>>> >>>>> If you want to disable the checks for *lint that is certainly your >>>>> prerogative but I see some downsides: >>>>> >>>>> - I used to setup new dev systems all the time and this is definitely >>>>> something I'd forget to do with some frequency >>>>> - As I understand it the checks will be executed by upstream before a >>>>> change is accepted so that's good but it adds a huge delay and the >>>>> requirement of a roundtrip to fix simple mistakes (happens all the time >>>>> in OpenStack). >>>> On-PR checks can handle this. When you need to fix a linter issue, you >>>> can install the dependencies and run make lint locally. >>>>> I think my question boils down to how many people will this actually >>>>> benefit vs how much time will be lost resubmitting patches? I don't >>>>> think there is an easy answer for the first part but from my own >>>>> experience I'd expect fairly regularly for lint and pep8 errors. >>>> If someone often has this issue, the workflow can be modified to address >>>> it. For example, I've configured my repo to run to run pylint and pep8 >>>> on the modified files before the commit. >>>>> On the other hand I guess this also will have the additional advantage >>>>> that make rpms will be significantly faster if you don't enable them. >>>>> >>>>> The --disable vs --without is what bugs me most about the current >>>>> situation :-) >>>>> >>>>> So in closing I'd just say that we made those checks mandatory for a >>>>> reason. Maybe that reason is no longer applicable with all the current >>>>> automation but I'd personally prefer Lukas's suggestion of requiring >>>>> them by default but providing clear output on how to disable them if >>>>> desired. This way the average user can easily work around it and it >>>>> won't impact current developers (unless they want it to). Is that as >>>>> simple as configure; make; make install? No, but it isn't a huge leap >>>>> either. >>>>> >>>>> rob >>>>> >>>> I prefer Christian's approach that makes the project more upstream-friendly. >>>> >>> Could you explain what does "more upstream-friendly" mean? >>> It seems that we have different opinion what does it mean. >> For me, it means making the project easier to develop and install, >> without the need to check ./configure options or having to look for and >> install optional dependencies. > > I am sorry but I still did not get your point. Could you a little bit > ellaborate? > > And few related questions to the statement "easier to develop and install" > > A) All server part is optional. Does it mean that we should disabling server by > default or autodetect all server dependencies and do not build server if they > are missing? Exaggeration is a stylistic device, but that's taking it a bit too far. > B) it is not just an optional dependency. I tried to explain in 1st mail > that it should be a recomended dependency. Recommended != required Linting is a recommended tool for development. It's a totally optional thing for building and installing FreeIPA. The RPM spec is the best proof for that. Linting is not even a required tool for development. CI takes care of linting. > C) Could you explain how it will be easier to develop on debian/other > distribution if upstream does not recommend to run "make lint". My PR does not discourage `make lint`. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Mar 6 14:01:06 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Mon, 06 Mar 2017 15:01:06 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias rcritten commented: """ IIRC on install all three existing db's get copied to .orig, or something like that right? So uninstall would move those back into place effectively disabling this? """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-284403378 From freeipa-github-notification at redhat.com Mon Mar 6 14:03:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 15:03:38 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card HonzaCholasta commented: """ @flo-renaud, please rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284404070 From freeipa-github-notification at redhat.com Mon Mar 6 14:06:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Mar 2017 15:06:00 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias HonzaCholasta commented: """ Yes. That is, once https://pagure.io/freeipa/issue/4639 is fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-284404665 From freeipa-github-notification at redhat.com Mon Mar 6 14:42:05 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Mon, 06 Mar 2017 15:42:05 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias rcritten commented: """ Just FYI I'm opening an upstream discussion with the NSS team on this. It is very strange that there is a conflict like this, particularly between master and replica. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-284414651 From freeipa-github-notification at redhat.com Mon Mar 6 15:23:10 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 06 Mar 2017 16:23:10 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package LiptonB commented: """ I think this is a much better way to make it configurable than how I had it, and the implementation looks good to me. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-284427183 From rcritten at redhat.com Mon Mar 6 15:24:48 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 6 Mar 2017 10:24:48 -0500 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> Message-ID: <8971f5d3-aab9-6e7f-604f-61f3e7ed8cd5@redhat.com> Tomas Krizek wrote: > On 03/03/2017 09:22 PM, Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>> ehlo, >>>> >>>> This is a small continuation fo discussin from pull request >>>> "Make pylint and jsl optional" #502[1] >>>> >>>> Pylint and jslint are already optional because some downstream distributions >>>> does not have such packages. This is a reason why desing document[2] >>>> mention configuration options for disabling them. >>>> --disable-pylint --without-jslint >>>> >>>> Previusly (4.4) "pylint was executed" before building rpm packages. >>>> This strict requirement was changed because "make lint" is executed >>>> with each pull request in travis. >>>> >>>> It was changed in commits >>>> master: >>>> >>>> * 5c18feaa206bbaee692fc3640b7b79c8d9d6a638 CONFIGURE: Fix detection of pylint >>>> * 3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 CONFIGURE: Update help message for jslint >>>> * b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 SPEC: Fix build in mock >>>> >>>> The main intention of PR#502 [1] is to make it even more optional >>>> and do not fail if pylint is not installed on machine. >>>> In another words, changing default value from "yes" to "autodetect". >>>> I think the main reason is that it is not obvious that it is an optional >>>> dependency if you run just "./configure". But that can be improved with >>>> better error message. @see attachments. >> I was going to go into a history of why it was required (we pushed >> broken changes into master) but in retrospect that doesn't really >> matter. I've been out of mainline development for some time so don't >> know your current processes, but I do have a question: >> >> Is it expected that ./configure && make && make install will result in >> the bits in all the right places? We never had that expectation before >> though I know Christian has been moving in that direction. Is that an >> end goal? It would be nice for developing in-tree and pushing out micro >> changes onto the current, live development system. > If you provide correct paths to ./configure, yes - make && make install > will place all the bits in the right places. I commonly use it with > DESTDIR and sshfs, so I can develop locally and deploy to a remote > machine without building RPMs. >> If so, does it have checks for all the runtime dependencies or will you >> still have to do a bunch of work afterward the make install? > It doesn't check runtime dependencies. I install the freeipa rpms once > to install dependencies and then use make && make install. >> I've seen discussions about making freeIPA more accessible to the >> average developer, which is good, but it is just so more complex than >> the typical software because it is more about integration than most big >> projects. So I don't know that this is every going to really be true. >> Will it help the average dev install it? Sure, but then what? Will you >> support such an install? >> >> If you want to disable the checks for *lint that is certainly your >> prerogative but I see some downsides: >> >> - I used to setup new dev systems all the time and this is definitely >> something I'd forget to do with some frequency >> - As I understand it the checks will be executed by upstream before a >> change is accepted so that's good but it adds a huge delay and the >> requirement of a roundtrip to fix simple mistakes (happens all the time >> in OpenStack). > On-PR checks can handle this. When you need to fix a linter issue, you > can install the dependencies and run make lint locally. >> I think my question boils down to how many people will this actually >> benefit vs how much time will be lost resubmitting patches? I don't >> think there is an easy answer for the first part but from my own >> experience I'd expect fairly regularly for lint and pep8 errors. > If someone often has this issue, the workflow can be modified to address > it. For example, I've configured my repo to run to run pylint and pep8 > on the modified files before the commit. >> On the other hand I guess this also will have the additional advantage >> that make rpms will be significantly faster if you don't enable them. >> >> The --disable vs --without is what bugs me most about the current >> situation :-) >> >> So in closing I'd just say that we made those checks mandatory for a >> reason. Maybe that reason is no longer applicable with all the current >> automation but I'd personally prefer Lukas's suggestion of requiring >> them by default but providing clear output on how to disable them if >> desired. This way the average user can easily work around it and it >> won't impact current developers (unless they want it to). Is that as >> simple as configure; make; make install? No, but it isn't a huge leap >> either. >> >> rob >> > I prefer Christian's approach that makes the project more upstream-friendly. > > I think changing the default from "yes" to "autodetect" negatively > affects packagers, but it makes it more accessible to upstream developers. I don't know. Packagers run into it once, add the --disable/--without, and move on right? And the # of packagers << # of developers. Developers are the ones who run this a lot, and potentially on a lot of machines, so making them have to remember to install the dependencies seems like more work. But your workflow sounds different from what I used so perhaps it's no big deal after all. I just wouldn't want you to rely on the review process to catch pep8 and lint errors, it just wastes a lot of time for everyone. Reviewers can't touch the review yet and developers have to re-fix things. rob From freeipa-github-notification at redhat.com Mon Mar 6 15:39:20 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 06 Mar 2017 16:39:20 +0100 Subject: [Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator LiptonB commented: """ Thanks for catching this, sorry about the breakage. The change looks good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284432624 From freeipa-github-notification at redhat.com Mon Mar 6 15:53:57 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 06 Mar 2017 16:53:57 +0100 Subject: [Freeipa-devel] [freeipa PR#433][synchronized] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Author: LiptonB Title: #433: csrgen: Allow some certificate fields to be specified by the user Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/433/head:pr433 git checkout pr433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-433.patch Type: text/x-diff Size: 11289 bytes Desc: not available URL: From rharwood at redhat.com Mon Mar 6 16:36:06 2017 From: rharwood at redhat.com (Robbie Harwood) Date: Mon, 06 Mar 2017 11:36:06 -0500 Subject: [Freeipa-devel] gssproxy-0.6.2-2 broken In-Reply-To: <384bdf07-d6e0-57f6-850e-b42d63141496@redhat.com> References: <384bdf07-d6e0-57f6-850e-b42d63141496@redhat.com> Message-ID: Standa Laznicka writes: > Hello, > > Current gssproxy in Fedora 25 "updates" repository (gssproxy-0.6.2-2) is > broken. For a freshly-installed IPA server, the infamous error > > "ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may > provide more information, Minor (2598845123): No credentials cache > found" will appear. 100% reproducible. > > Please use the gssproxy-0.6.2-1 from @freeipa/freeipa-master repository > instead. Note that downgrade + gssproxy service restart works. Hi, thanks for letting us know. In the future it would be better to provide negative karma to the update and file a bugzilla. Please try gssproxy-0.6.2-4 from updates, and hopefully it will work better for you. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 17:14:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 06 Mar 2017 18:14:06 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints tomaskrizek commented: """ I think this is a translation issue that will resolve itself once we generate new translation files. Is that correct, @MartinBasti ? When using `make install` that regenerates `*.po`, I get this output: ``` Serial number: 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O=DOM-058-176.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Issuer: CN=Certificate Authority,O=DOM-058-176.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Not Before: Mon Mar 06 17:05:49 2017 UTC Not After: Fri Mar 06 17:05:49 2037 UTC Fingerprint (SHA1): 4c:49:28:74:82:94:30:1c:0e:f6:b2:30:2b:91:90:6c:73:bb:c1:d8 Fingerprint (SHA256): 52:d3:3b:5e:70:63:d0:6c:6f:4d:90:a4:bf:50:18:0b:7a:0c:ab:11:45:cf:05:7d:98:d6:e8:b1:bc:e0:9e:a9 Serial number: 1 Serial number (hex): 0x1 Revoked: False ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284464681 From freeipa-github-notification at redhat.com Mon Mar 6 17:51:32 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 06 Mar 2017 18:51:32 +0100 Subject: [Freeipa-devel] [freeipa PR#542][opened] Implementation independent interface for CSR generation Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Author: LiptonB Title: #542: Implementation independent interface for CSR generation Action: opened PR body: """ @HonzaCholasta and everyone, here is where I am so far on the [CertificationRequestInfo-based interface for CSR generation](https://www.redhat.com/archives/freeipa-devel/2017-February/msg00104.html). As I see it, there are a few rough edges still, so I'd like to get your opinion, especially about these things: - For feeding to `build_requestinfo` we want a config file, not a script, so I needed to add another formatter/helper that omits the bash code that's there for other helpers. - While openssl has a library function for creating cert extensions from the config file format, the logic for creating the subject name from the config format is implemented within the `openssl req` command rather than the library. In `build_requestinfo` I copied [the code from certmonger](https://pagure.io/certmonger/blob/master/f/src/csrgen-o.c#_193-223) that creates the subject name, which takes a simpler format. So the new formatter is called "certmonger" and uses that format. - I'm not sure where in the freeipa project the code for `build_requestinfo` should go, how to work it into the build process, and where it should be installed. Right now I just have a TODO to do so. Or did you mean for that code to be run via CFFI as well? """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/542/head:pr542 git checkout pr542 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-542.patch Type: text/x-diff Size: 20912 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 18:00:34 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 06 Mar 2017 19:00:34 +0100 Subject: [Freeipa-devel] [freeipa PR#542][synchronized] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Author: LiptonB Title: #542: Implementation independent interface for CSR generation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/542/head:pr542 git checkout pr542 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-542.patch Type: text/x-diff Size: 21270 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 18:30:58 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 06 Mar 2017 19:30:58 +0100 Subject: [Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-516.patch Type: text/x-diff Size: 8780 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 18:33:42 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 06 Mar 2017 19:33:42 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @HonzaCholasta thank you for your comments. Patch rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284487975 From freeipa-github-notification at redhat.com Mon Mar 6 18:56:18 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 06 Mar 2017 19:56:18 +0100 Subject: [Freeipa-devel] [freeipa PR#543][opened] Add options to allow ticket caching Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: opened PR body: """ This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). NOTE: It is safe to apply this to master, if gssproxy does not support this option it simply is ignored. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1174 bytes Desc: not available URL: From lslebodn at redhat.com Mon Mar 6 23:26:10 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 7 Mar 2017 00:26:10 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> <20170306131005.GF13530@10.4.128.1> Message-ID: <20170306232609.GG13530@10.4.128.1> On (06/03/17 14:38), Christian Heimes wrote: >> B) it is not just an optional dependency. I tried to explain in 1st mail >> that it should be a recomended dependency. > >Recommended != required > {Py,js}lint are not required ATM. Just error message from configure is poorly phrased. >Linting is a recommended tool for development. It's a totally optional >thing for building and installing FreeIPA. The RPM spec is the best >proof for that. Linting is not even a required tool for development. CI >takes care of linting. > CI does not care of linting on other distributions. At the moment lint is executed only on f25 in travis (f26 of fedora rawhide, el7 are not covered) ATM everything is fedora focused even BUILD.txt which is not ideal from upstream POV. Therefore default checks in configure should not be focused just for fedora. >> C) Could you explain how it will be easier to develop on debian/other >> distribution if upstream does not recommend to run "make lint". > >My PR does not discourage `make lint`. > But it does not recommend it; because missing pylint it is skipped with combo "./configure && make install." in PR#502 So potential developers on other distributions needn't notice it and with your PR they will not be able to run "make pylint" in such situation; because the target will be disabled in case of missing pylint. Summary: rcrit, jcholast[1] and lslebodn think that it is better for upstream to have default yes. cheimes(you) and tkrizek prefer autodetection. Democracy works. Please do not change default value and improve error messages with hint how to disable the optional *lint dependencies at configure time. LS [1] https://github.com/freeipa/freeipa/pull/502#issuecomment-283569745 From lslebodn at redhat.com Mon Mar 6 23:39:30 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 7 Mar 2017 00:39:30 +0100 Subject: [Freeipa-devel] [DISCUSSION] checking *lint at configure time In-Reply-To: References: <20170303160751.GA31266@10.4.128.1> <20170303160932.GB31266@10.4.128.1> <6d64465e-2d5f-a36c-6e66-f5bd3b7916f5@redhat.com> <54bdedd1-3cbf-7e42-88d6-636fd5bef0f9@redhat.com> <20170306124437.GD13530@10.4.128.1> <64f099c2-7e85-60d4-9e18-1df990bef669@redhat.com> <20170306131005.GF13530@10.4.128.1> Message-ID: <20170306233929.GH13530@10.4.128.1> On (06/03/17 14:36), Tomas Krizek wrote: >> I am sorry but I still did not get your point. Could you a little bit >> ellaborate? >In this case - build won't fail when you don't have the dependencies for >linters. But it will be *easier* to develop on other distributions if they run "make lint". Therefore default should be yes. And it there is a super-hero developers who wrote perfect code and does not need run make lint then he/she can run ./configure --disable-pylint to skip check for installed pylint. It would be clear enough after improving error message for missing pylint. >> B) it is not just an optional dependency. I tried to explain in 1st mail >> that it should be a recomended dependency. >I agree it's recommended. But would not be with current version of PR#502. >> C) Could you explain how it will be easier to develop on debian/other >> distribution if upstream does not recommend to run "make lint". >It probably doesn't make it easier to develop for other distributions. >But it may be easier for a new upstream contributor, when building the >project doesn't require any extra dependencies. > The simplest way for new developers is to follow BUILD.txt. (use fedora :-) And instructions there recommend to install all dependencies including pylint. So they(new upstream contributors) would not be affected by missing pylint. But people who would like to port freeipa on other distributions would be affected by changing default from yes -> autodetect. LS From freeipa-github-notification at redhat.com Mon Mar 6 23:51:13 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 00:51:13 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 14254 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 6 23:52:44 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 00:52:44 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1174 bytes Desc: not available URL: From mharmsen at redhat.com Tue Mar 7 04:06:04 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 6 Mar 2017 21:06:04 -0700 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-13 Message-ID: <86ada612-f56f-b552-730a-90b9c3559b3f@redhat.com> *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24:* o *pki-core-10.3.5-13.fc24 * * *Fedora 25:* o *pki-core-10.3.5-13.fc25 * * ***Fedora 26:* o *pki-core-10.3.5-13.fc26 * * *Fedora 27 (rawhide):* o *pki-core-10.3.5-13.fc27 * *These builds address the following PKI TRAC tickets:* * *dogtagpki Pagure Issue #1710 - Add profile component that copies CN to SAN * *Please provide Karma for the following builds:* * *Fedora 24:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9ded483357 pki-core-10.3.5-13.fc24* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f3325addf pki-core-10.3.5-13.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0afc56a2c pki-core-10.3.5-13.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Mar 7 05:33:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Mar 2017 06:33:50 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias HonzaCholasta commented: """ The conflict between master and replica exists because on the master, client install is executed last, but on (domain level 1+) replica it is executed first, so on the master `/etc/httpd/alias` is populated first and `/etc/pki/ca-trust/source/ipa.p11-kit` is created later, but on (domain level 1+) replica it is done the other way around. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-284626499 From freeipa-github-notification at redhat.com Tue Mar 7 07:51:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Mar 2017 08:51:33 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ * Maybe I'm missing something, but the intent behind the CertificationRequestInfo-based interface was to replace all of the different helpers with a single way of generating CSRs, so it seems a bit strange to me that you are adding another helper for it. * I would rather avoid creating new, similar but slightly incompatible configuration format. If you can copy code from certmonger, you can copy code from openssl req too, no? * The idea was indeed to implement this in Python using CFFI to call into OpenSSL library functions. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-284647475 From freeipa-github-notification at redhat.com Tue Mar 7 08:30:23 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 07 Mar 2017 09:30:23 +0100 Subject: [Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-516.patch Type: text/x-diff Size: 8749 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 08:32:08 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 07 Mar 2017 09:32:08 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @HonzaCholasta sorry I overlooked the change for count. It's updated now, thank you for the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284655430 From freeipa-github-notification at redhat.com Tue Mar 7 08:37:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Mar 2017 09:37:17 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ Hm, apparently I had old `po/`, never mind, then. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284656476 From freeipa-github-notification at redhat.com Tue Mar 7 08:37:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Mar 2017 09:37:25 +0100 Subject: [Freeipa-devel] [freeipa PR#504][+ack] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints Label: +ack From mbabinsk at redhat.com Tue Mar 7 08:38:55 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Mar 2017 09:38:55 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488804520.10234.108.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> Message-ID: <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> On 03/06/2017 01:48 PM, Simo Sorce wrote: > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >> On 03/02/2017 02:54 PM, Simo Sorce wrote: >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >>>> In this case it would probably be a good idea to think about "forward >>>> compatibility" and define a new AUX objectclass bringing in >>>> 'ipaDomainResolutionOrder' instead of extending two separate >>>> objectclasses. In this way we may the just extend whathever object we >>>> desire to carry the override in an easy and clean way. >>> >>> I agree. >>> Simo. >>> >> >> Now the most difficult question remains... How to name this objectclass. >> I personally am out of ideas but will try my best to come up with >> something meaningful. > > Try to describe what the option ultimately does with as few words as > possible. > > Simo. > > I was thinking about this and since we are performing name qualification (short-name -> fully-qualified name incl. domain/realm part), I would like to propose the following naming schema: objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used for short name qualification data' SUP top AUXILIARY MAY (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC 'List of domains used to qualify user short name' EQUALITY caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v4.5' ) Let me know if you are ok with this or am I overengineering the names? I would like to solve this quickly so that I can finish the design and start implementation. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Mar 7 09:00:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Mar 2017 10:00:26 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card HonzaCholasta commented: """ @flo-renaud, thanks, LGTM. BTW Travis fails because there is no `sssd-dbus >= 1.15.1` - submitting a build to freeipa-master now. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284661291 From freeipa-github-notification at redhat.com Tue Mar 7 11:45:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Mar 2017 12:45:50 +0100 Subject: [Freeipa-devel] [freeipa PR#544][opened] Don't use weak ciphers for client HTTPS connections Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Author: stlaz Title: #544: Don't use weak ciphers for client HTTPS connections Action: opened PR body: """ https://pagure.io/freeipa/issue/6730 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/544/head:pr544 git checkout pr544 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-544.patch Type: text/x-diff Size: 833 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 12:18:53 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Mar 2017 13:18:53 +0100 Subject: [Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator martbab commented: """ master: * 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637 test_csrgen: adjusted comparison test scripts for CSRGenerator """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284706378 From freeipa-github-notification at redhat.com Tue Mar 7 12:18:55 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Mar 2017 13:18:55 +0100 Subject: [Freeipa-devel] [freeipa PR#537][+pushed] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 12:18:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Mar 2017 13:18:57 +0100 Subject: [Freeipa-devel] [freeipa PR#537][closed] test_csrgen: adjusted comparison test scripts for CSRGenerator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/537 Author: Rezney Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/537/head:pr537 git checkout pr537 From freeipa-github-notification at redhat.com Tue Mar 7 12:20:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 13:20:05 +0100 Subject: [Freeipa-devel] [freeipa PR#540][+ack] rabase.get_certificate: make serial number arg mandatory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/540 Title: #540: rabase.get_certificate: make serial number arg mandatory Label: +ack From freeipa-github-notification at redhat.com Tue Mar 7 12:25:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 13:25:40 +0100 Subject: [Freeipa-devel] [freeipa PR#540][+pushed] rabase.get_certificate: make serial number arg mandatory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/540 Title: #540: rabase.get_certificate: make serial number arg mandatory Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 12:25:41 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 13:25:41 +0100 Subject: [Freeipa-devel] [freeipa PR#540][comment] rabase.get_certificate: make serial number arg mandatory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/540 Title: #540: rabase.get_certificate: make serial number arg mandatory tomaskrizek commented: """ master: * 3ba0375c831eca673c2df146b565a32dbc03fdb3 rabase.get_certificate: make serial number arg mandatory """ See the full comment at https://github.com/freeipa/freeipa/pull/540#issuecomment-284707795 From freeipa-github-notification at redhat.com Tue Mar 7 12:25:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 13:25:43 +0100 Subject: [Freeipa-devel] [freeipa PR#540][closed] rabase.get_certificate: make serial number arg mandatory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/540 Author: frasertweedale Title: #540: rabase.get_certificate: make serial number arg mandatory Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/540/head:pr540 git checkout pr540 From freeipa-github-notification at redhat.com Tue Mar 7 13:07:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 14:07:13 +0100 Subject: [Freeipa-devel] [freeipa PR#545][opened] install_check: require IPv6 stack to be enabled Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Author: tomaskrizek Title: #545: install_check: require IPv6 stack to be enabled Action: opened PR body: """ Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/545/head:pr545 git checkout pr545 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-545.patch Type: text/x-diff Size: 3764 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 13:16:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 14:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#545][edited] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Author: tomaskrizek Title: #545: install_check: require IPv6 stack to be enabled Action: edited Changed field: body Original value: """ Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 """ From freeipa-github-notification at redhat.com Tue Mar 7 13:45:09 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 14:45:09 +0100 Subject: [Freeipa-devel] [freeipa PR#546][opened] Store session cookie in a ccache option Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: opened PR body: """ Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all crededntials. Ticket: https://pagure.io/freeipa/issue/6661 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-546.patch Type: text/x-diff Size: 11233 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 13:45:34 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Mar 2017 14:45:34 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals martbab commented: """ @abbra I have a question regarding one of your comments, please review. """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-284724932 From freeipa-github-notification at redhat.com Tue Mar 7 13:47:59 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 14:47:59 +0100 Subject: [Freeipa-devel] [freeipa PR#547][opened] Use GSS-SPNEGO if connecting locally Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Author: simo5 Title: #547: Use GSS-SPNEGO if connecting locally Action: opened PR body: """ GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/547/head:pr547 git checkout pr547 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-547.patch Type: text/x-diff Size: 1834 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 13:52:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 14:52:10 +0100 Subject: [Freeipa-devel] [freeipa PR#547][synchronized] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Author: simo5 Title: #547: Use GSS-SPNEGO if connecting locally Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/547/head:pr547 git checkout pr547 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-547.patch Type: text/x-diff Size: 1880 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 13:52:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 14:52:33 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1220 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 13:55:46 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 07 Mar 2017 14:55:46 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation LiptonB commented: """ Thanks for the feedback. I will put together a new version using CFFI and the `openssl req` format for subject names. Regarding helpers, this code has all CSR generation go through the `CertificationRequestInfo`-based flow, so the other helpers can't actually be accessed. Maybe we should remove the helper/formatter abstraction entirely, and have the new format (raw openssl config) be the only jinja template available. This makes things simpler but will remove all support for NSS databases until we add it to the new flow. What do you think? (An alternative would be to remove only the `openssl` helper, and add a `CertificationRequestInfoFormatter` in its place). """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-284727415 From simo at redhat.com Tue Mar 7 14:14:05 2017 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Mar 2017 09:14:05 -0500 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> Message-ID: <1488896045.16250.22.camel@redhat.com> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: > On 03/06/2017 01:48 PM, Simo Sorce wrote: > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: > >> On 03/02/2017 02:54 PM, Simo Sorce wrote: > >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: > >>>> In this case it would probably be a good idea to think about "forward > >>>> compatibility" and define a new AUX objectclass bringing in > >>>> 'ipaDomainResolutionOrder' instead of extending two separate > >>>> objectclasses. In this way we may the just extend whathever object we > >>>> desire to carry the override in an easy and clean way. > >>> > >>> I agree. > >>> Simo. > >>> > >> > >> Now the most difficult question remains... How to name this objectclass. > >> I personally am out of ideas but will try my best to come up with > >> something meaningful. > > > > Try to describe what the option ultimately does with as few words as > > possible. > > > > Simo. > > > > > > I was thinking about this and since we are performing name qualification > (short-name -> fully-qualified name incl. domain/realm part), I would > like to propose the following naming schema: > > objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used > for short name qualification data' SUP top AUXILIARY MAY > (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) > > attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC > 'List of domains used to qualify user short name' EQUALITY > caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > X-ORIGIN 'IPA v4.5' ) > > Let me know if you are ok with this or am I overengineering the names? > > I would like to solve this quickly so that I can finish the design and > start implementation. I was thinking that we can use acronyms here to make it less of a mouthful and also more easily recognizable: My idea is: - ipaNameQualificationData -> ipaFQDNPolicies - ipaNameQualificationDomainList -> ipaFQDNCheckOrder Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Tue Mar 7 14:18:28 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 15:18:28 +0100 Subject: [Freeipa-devel] [freeipa PR#545][synchronized] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Author: tomaskrizek Title: #545: install_check: require IPv6 stack to be enabled Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/545/head:pr545 git checkout pr545 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-545.patch Type: text/x-diff Size: 3763 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 14:29:20 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 15:29:20 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 simo5 commented: """ We are actually planning 0.7 at this point, due to the changes in the last few patchsets :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-284736439 From freeipa-github-notification at redhat.com Tue Mar 7 14:30:57 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Mar 2017 15:30:57 +0100 Subject: [Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally abbra commented: """ LGTM but I think we should also update Requires: in the spec file to use cyrus-sasl-2.1.26-29.fc26 or later. """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284736912 From freeipa-github-notification at redhat.com Tue Mar 7 14:32:21 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Mar 2017 15:32:21 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching abbra commented: """ LGTM. Here I'd also like to bump gssproxy and krb5 dependencies in the spec file. We need to ensure gssproxy is actually updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-284737316 From abokovoy at redhat.com Tue Mar 7 14:34:42 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Mar 2017 16:34:42 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488896045.16250.22.camel@redhat.com> References: <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> <1488896045.16250.22.camel@redhat.com> Message-ID: <20170307143442.b66vqszwwdcko66c@redhat.com> On ti, 07 maalis 2017, Simo Sorce wrote: >On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: >> On 03/06/2017 01:48 PM, Simo Sorce wrote: >> > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >> >> On 03/02/2017 02:54 PM, Simo Sorce wrote: >> >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >> >>>> In this case it would probably be a good idea to think about "forward >> >>>> compatibility" and define a new AUX objectclass bringing in >> >>>> 'ipaDomainResolutionOrder' instead of extending two separate >> >>>> objectclasses. In this way we may the just extend whathever object we >> >>>> desire to carry the override in an easy and clean way. >> >>> >> >>> I agree. >> >>> Simo. >> >>> >> >> >> >> Now the most difficult question remains... How to name this objectclass. >> >> I personally am out of ideas but will try my best to come up with >> >> something meaningful. >> > >> > Try to describe what the option ultimately does with as few words as >> > possible. >> > >> > Simo. >> > >> > >> >> I was thinking about this and since we are performing name qualification >> (short-name -> fully-qualified name incl. domain/realm part), I would >> like to propose the following naming schema: >> >> objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used >> for short name qualification data' SUP top AUXILIARY MAY >> (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) >> >> attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC >> 'List of domains used to qualify user short name' EQUALITY >> caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> X-ORIGIN 'IPA v4.5' ) >> >> Let me know if you are ok with this or am I overengineering the names? >> >> I would like to solve this quickly so that I can finish the design and >> start implementation. > >I was thinking that we can use acronyms here to make it less of a >mouthful and also more easily recognizable: >My idea is: >- ipaNameQualificationData -> ipaFQDNPolicies >- ipaNameQualificationDomainList -> ipaFQDNCheckOrder Sounds good to me. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Tue Mar 7 14:35:50 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Mar 2017 15:35:50 +0100 Subject: [Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled abbra commented: """ how the /proc check going to play with containers? """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecomment-284738343 From freeipa-github-notification at redhat.com Tue Mar 7 14:36:29 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 07 Mar 2017 15:36:29 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 dkupka commented: """ Ok, please comment here once 0.7 is out and I will update the commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-284738537 From freeipa-github-notification at redhat.com Tue Mar 7 14:38:44 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 15:38:44 +0100 Subject: [Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu simo5 commented: """ I do not have enough insights on the .js side to say this is all correct, but having seen the mockups I want to give an ack from my side here. """ See the full comment at https://github.com/freeipa/freeipa/pull/533#issuecomment-284739181 From mbabinsk at redhat.com Tue Mar 7 14:41:03 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Mar 2017 15:41:03 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170307143442.b66vqszwwdcko66c@redhat.com> References: <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> <1488896045.16250.22.camel@redhat.com> <20170307143442.b66vqszwwdcko66c@redhat.com> Message-ID: <20170307144102.GB26633@dhcp129-180.brq.redhat.com> On Tue, Mar 07, 2017 at 04:34:42PM +0200, Alexander Bokovoy wrote: >On ti, 07 maalis 2017, Simo Sorce wrote: >> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: >> > On 03/06/2017 01:48 PM, Simo Sorce wrote: >> > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >> > >> On 03/02/2017 02:54 PM, Simo Sorce wrote: >> > >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >> > >>>> In this case it would probably be a good idea to think about "forward >> > >>>> compatibility" and define a new AUX objectclass bringing in >> > >>>> 'ipaDomainResolutionOrder' instead of extending two separate >> > >>>> objectclasses. In this way we may the just extend whathever object we >> > >>>> desire to carry the override in an easy and clean way. >> > >>> >> > >>> I agree. >> > >>> Simo. >> > >>> >> > >> >> > >> Now the most difficult question remains... How to name this objectclass. >> > >> I personally am out of ideas but will try my best to come up with >> > >> something meaningful. >> > > >> > > Try to describe what the option ultimately does with as few words as >> > > possible. >> > > >> > > Simo. >> > > >> > > >> > >> > I was thinking about this and since we are performing name qualification >> > (short-name -> fully-qualified name incl. domain/realm part), I would >> > like to propose the following naming schema: >> > >> > objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used >> > for short name qualification data' SUP top AUXILIARY MAY >> > (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) >> > >> > attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC >> > 'List of domains used to qualify user short name' EQUALITY >> > caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> > X-ORIGIN 'IPA v4.5' ) >> > >> > Let me know if you are ok with this or am I overengineering the names? >> > >> > I would like to solve this quickly so that I can finish the design and >> > start implementation. >> >> I was thinking that we can use acronyms here to make it less of a >> mouthful and also more easily recognizable: >> My idea is: >> - ipaNameQualificationData -> ipaFQDNPolicies >> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder >Sounds good to me. >-- >/ Alexander Bokovoy I am not sure about the relation of this to any policy, but I guess that is just nitpicking. I will wait awhile for others to object and then update design. -- Martin Babinsky From freeipa-github-notification at redhat.com Tue Mar 7 14:52:06 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 15:52:06 +0100 Subject: [Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally simo5 commented: """ We actually do not need to put a strong require, this patch will work regardless, but won't provide any performance advantage on older versions. You will add a stronger require when the GC work is done, so we can defer to that point to add it. """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284743086 From freeipa-github-notification at redhat.com Tue Mar 7 14:52:42 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 15:52:42 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ Yes, I think we should add a new PR later once we release gssproxy 0.7 """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-284743273 From freeipa-github-notification at redhat.com Tue Mar 7 15:20:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 16:20:06 +0100 Subject: [Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled tomaskrizek commented: """ We tested it with @MartinBasti and `/proc` is mounted in container. """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecomment-284751484 From freeipa-github-notification at redhat.com Tue Mar 7 15:32:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Mar 2017 16:32:42 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option MartinBasti commented: """ Pylint failed and I have a few inline comments ``` ************* Module ipapython.ccache_storage ipapython/ccache_storage.py:234: [C0305(trailing-newlines), ] Trailing newlines) ipapython/ccache_storage.py:32: [W1612(unicode-builtin), c_text_p.from_param] unicode built-in referenced) ipapython/ccache_storage.py:45: [E1101(no-member), c_text_p.text] Class 'value' has no 'decode' member) ipapython/ccache_storage.py:128: [C1001(old-style-class), session_store] Old-style class defined.) ipapython/ccache_storage.py:132: [E0710(raising-non-exception), session_store.__init__] Raising a new style class which doesn't inherit from BaseException) ipapython/ccache_storage.py:6: [W0611(unused-import), ] Unused import os) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284755511 From freeipa-github-notification at redhat.com Tue Mar 7 15:33:10 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 16:33:10 +0100 Subject: [Freeipa-devel] [freeipa PR#538][comment] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Title: #538: Run test_ipaclient test suite tomaskrizek commented: """ Please rebase and remove 5dfb17168972e480c1880e688a60fd2eb7de1dfe. """ See the full comment at https://github.com/freeipa/freeipa/pull/538#issuecomment-284755651 From freeipa-github-notification at redhat.com Tue Mar 7 15:34:47 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 16:34:47 +0100 Subject: [Freeipa-devel] [freeipa PR#536][+ack] ipa systemd unit should define Wants=network instead of Requires=network In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/536 Title: #536: ipa systemd unit should define Wants=network instead of Requires=network Label: +ack From freeipa-github-notification at redhat.com Tue Mar 7 15:52:52 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 07 Mar 2017 16:52:52 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option rcritten commented: """ Should this patch not also remove the keyring code? Unit tests should be provided. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284761915 From freeipa-github-notification at redhat.com Tue Mar 7 16:08:55 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:08:55 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ @rcritten the keyring stuff is still used for detection of keyring in other places, so I did not touch it as those uses are still vaild """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284767193 From freeipa-github-notification at redhat.com Tue Mar 7 16:09:42 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:09:42 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Not sure how to provide unit tests, these functions work only if you have a valid ccache in the name of the principal you are trying to store a session cookie for. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284767456 From freeipa-github-notification at redhat.com Tue Mar 7 16:17:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Mar 2017 17:17:37 +0100 Subject: [Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates stlaz commented: """ This will say: ``` Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/2]: configure certmonger for renewals [2/2]: Importing RA key ``` but the operation lasts ~5 seconds at most. """ See the full comment at https://github.com/freeipa/freeipa/pull/529#issuecomment-284770027 From freeipa-github-notification at redhat.com Tue Mar 7 16:17:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Mar 2017 17:17:58 +0100 Subject: [Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates stlaz commented: """ This will say: ``` Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/2]: configure certmonger for renewals [2/2]: Importing RA key ``` but the operation lasts ~5 seconds at most. """ See the full comment at https://github.com/freeipa/freeipa/pull/529#issuecomment-284770027 From freeipa-github-notification at redhat.com Tue Mar 7 16:29:59 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 07 Mar 2017 17:29:59 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card dkupka commented: """ @flo-renaud While playing with this command I've noticed one disturbing fact. Because we rely on SSSD and SSSD rely its cache we will likely return inaccurate result. I'm thinking about use-case when admin calls certmap-match to list current users mapped to the certificate. Then he performs some changes and calls certmap-match again to verify his changes. At that point SSSD may use cache and return obsolete result. One possible solution would be expiring the cache on every certmap-match call but that can easily have serious performance impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284774035 From freeipa-github-notification at redhat.com Tue Mar 7 16:34:00 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 07 Mar 2017 17:34:00 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Hi @dkupka As the goal of this command is to return exactly the same list of users as SSSD would consider for authentication, IMHO it is expected that we may have a cached list instead of an up-to-date list of results, because sssd authentication would have the same result. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284775400 From freeipa-github-notification at redhat.com Tue Mar 7 16:34:07 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:34:07 +0100 Subject: [Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-546.patch Type: text/x-diff Size: 9650 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 16:34:45 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:34:45 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok removed a bunch of code and made sure pylint passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775623 From freeipa-github-notification at redhat.com Tue Mar 7 16:35:08 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:35:08 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ I also renamed the module and the class, makes more sense to me this way around. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775755 From freeipa-github-notification at redhat.com Tue Mar 7 16:36:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 17:36:37 +0100 Subject: [Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally tomaskrizek commented: """ The patch works with both `cyrus-sasl-2.1.26-26.2.fc24` and `cyrus-sasl-2.1.26-29.fc26`. Since the newer version is not a hard dependency, we can add it later on, as @simo5 suggested. """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284776517 From freeipa-github-notification at redhat.com Tue Mar 7 16:36:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 17:36:42 +0100 Subject: [Freeipa-devel] [freeipa PR#547][+ack] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally Label: +ack From freeipa-github-notification at redhat.com Tue Mar 7 16:37:23 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 07 Mar 2017 17:37:23 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card dkupka commented: """ @flo-renaud That's right but we should probably stress this somehow because it's not intuitive. Also we're returning what SSSD would return on master but we have no idea what it will return on some other host. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284776883 From freeipa-github-notification at redhat.com Tue Mar 7 16:39:47 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Mar 2017 17:39:47 +0100 Subject: [Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-546.patch Type: text/x-diff Size: 9669 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 16:55:57 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 07 Mar 2017 17:55:57 +0100 Subject: [Freeipa-devel] [freeipa PR#533][+ack] WebUI: Change structure of Identity submenu In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu Label: +ack From freeipa-github-notification at redhat.com Tue Mar 7 17:14:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Mar 2017 18:14:12 +0100 Subject: [Freeipa-devel] [freeipa PR#548][opened] ipa-server-install: add --setup-kra option Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Author: MartinBasti Title: #548: ipa-server-install: add --setup-kra option Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/548/head:pr548 git checkout pr548 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-548.patch Type: text/x-diff Size: 10149 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 17:28:49 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 07 Mar 2017 18:28:49 +0100 Subject: [Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-400.patch Type: text/x-diff Size: 29461 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 17:31:20 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 07 Mar 2017 18:31:20 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping pvomacka commented: """ @pvoborni Thanks for review. I removed the space :) """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-284796053 From mbasti at redhat.com Tue Mar 7 17:50:41 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Mar 2017 18:50:41 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170307144102.GB26633@dhcp129-180.brq.redhat.com> References: <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> <1488896045.16250.22.camel@redhat.com> <20170307143442.b66vqszwwdcko66c@redhat.com> <20170307144102.GB26633@dhcp129-180.brq.redhat.com> Message-ID: <355cbc7c-e9a9-fa47-651f-0a43a512f325@redhat.com> On 07.03.2017 15:41, Martin Babinsky wrote: > On Tue, Mar 07, 2017 at 04:34:42PM +0200, Alexander Bokovoy wrote: >> On ti, 07 maalis 2017, Simo Sorce wrote: >>> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: >>>> On 03/06/2017 01:48 PM, Simo Sorce wrote: >>>>> On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >>>>>> On 03/02/2017 02:54 PM, Simo Sorce wrote: >>>>>>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >>>>>>>> In this case it would probably be a good idea to think about "forward >>>>>>>> compatibility" and define a new AUX objectclass bringing in >>>>>>>> 'ipaDomainResolutionOrder' instead of extending two separate >>>>>>>> objectclasses. In this way we may the just extend whathever object we >>>>>>>> desire to carry the override in an easy and clean way. >>>>>>> I agree. >>>>>>> Simo. >>>>>>> >>>>>> Now the most difficult question remains... How to name this objectclass. >>>>>> I personally am out of ideas but will try my best to come up with >>>>>> something meaningful. >>>>> Try to describe what the option ultimately does with as few words as >>>>> possible. >>>>> >>>>> Simo. >>>>> >>>>> >>>> I was thinking about this and since we are performing name qualification >>>> (short-name -> fully-qualified name incl. domain/realm part), I would >>>> like to propose the following naming schema: >>>> >>>> objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used >>>> for short name qualification data' SUP top AUXILIARY MAY >>>> (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) >>>> >>>> attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC >>>> 'List of domains used to qualify user short name' EQUALITY >>>> caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>> X-ORIGIN 'IPA v4.5' ) >>>> >>>> Let me know if you are ok with this or am I overengineering the names? >>>> >>>> I would like to solve this quickly so that I can finish the design and >>>> start implementation. >>> I was thinking that we can use acronyms here to make it less of a >>> mouthful and also more easily recognizable: >>> My idea is: >>> - ipaNameQualificationData -> ipaFQDNPolicies >>> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder >> Sounds good to me. >> -- >> / Alexander Bokovoy > I am not sure about the relation of this to any policy, but I guess that is > just nitpicking. > > I will wait awhile for others to object and then update design. > I agree to not use "policy" in the name Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Mar 7 17:51:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 18:51:49 +0100 Subject: [Freeipa-devel] [freeipa PR#529][synchronized] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Author: tomaskrizek Title: #529: installer: update time estimates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/529/head:pr529 git checkout pr529 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-529.patch Type: text/x-diff Size: 6177 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 7 17:54:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 18:54:34 +0100 Subject: [Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates tomaskrizek commented: """ @stlaz That estimate was a bit off :) Thanks for noticing! """ See the full comment at https://github.com/freeipa/freeipa/pull/529#issuecomment-284802644 From freeipa-github-notification at redhat.com Tue Mar 7 18:54:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:54:24 +0100 Subject: [Freeipa-devel] [freeipa PR#504][+pushed] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 18:54:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:54:26 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints tomaskrizek commented: """ master: * a06c71b1268850e485e89049ed3654f893edff0b Add SHA256 fingerprints for certs """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-284819750 From freeipa-github-notification at redhat.com Tue Mar 7 18:54:27 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:54:27 +0100 Subject: [Freeipa-devel] [freeipa PR#504][closed] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 From freeipa-github-notification at redhat.com Tue Mar 7 18:58:48 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:58:48 +0100 Subject: [Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find tomaskrizek commented: """ master: * aa8530b7af8f04a4ba868f73ea9f171911162638 WebUI: add sizelimit:0 to cert-find """ See the full comment at https://github.com/freeipa/freeipa/pull/519#issuecomment-284821038 From freeipa-github-notification at redhat.com Tue Mar 7 18:58:50 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:58:50 +0100 Subject: [Freeipa-devel] [freeipa PR#519][+pushed] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 18:58:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 19:58:51 +0100 Subject: [Freeipa-devel] [freeipa PR#519][closed] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Author: pvomacka Title: #519: WebUI: add sizelimit:0 to cert-find Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/519/head:pr519 git checkout pr519 From freeipa-github-notification at redhat.com Tue Mar 7 19:04:35 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:04:35 +0100 Subject: [Freeipa-devel] [freeipa PR#533][+pushed] WebUI: Change structure of Identity submenu In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 19:04:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:04:37 +0100 Subject: [Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu tomaskrizek commented: """ master: * 070bc48dd6c9bce32caa0f0f2de8d44b4e5bbbb1 WebUI: Change structure of Identity submenu """ See the full comment at https://github.com/freeipa/freeipa/pull/533#issuecomment-284822725 From freeipa-github-notification at redhat.com Tue Mar 7 19:04:38 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:04:38 +0100 Subject: [Freeipa-devel] [freeipa PR#533][closed] WebUI: Change structure of Identity submenu In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/533 Author: pvomacka Title: #533: WebUI: Change structure of Identity submenu Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/533/head:pr533 git checkout pr533 From freeipa-github-notification at redhat.com Tue Mar 7 19:07:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:07:12 +0100 Subject: [Freeipa-devel] [freeipa PR#536][+pushed] ipa systemd unit should define Wants=network instead of Requires=network In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/536 Title: #536: ipa systemd unit should define Wants=network instead of Requires=network Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 19:07:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:07:13 +0100 Subject: [Freeipa-devel] [freeipa PR#536][comment] ipa systemd unit should define Wants=network instead of Requires=network In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/536 Title: #536: ipa systemd unit should define Wants=network instead of Requires=network tomaskrizek commented: """ master: * f447489707812643ee918266f99ca1ac82a408af ipa systemd unit should define Wants=network instead of Requires=network """ See the full comment at https://github.com/freeipa/freeipa/pull/536#issuecomment-284823436 From freeipa-github-notification at redhat.com Tue Mar 7 19:07:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:07:14 +0100 Subject: [Freeipa-devel] [freeipa PR#536][closed] ipa systemd unit should define Wants=network instead of Requires=network In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/536 Author: flo-renaud Title: #536: ipa systemd unit should define Wants=network instead of Requires=network Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/536/head:pr536 git checkout pr536 From freeipa-github-notification at redhat.com Tue Mar 7 19:10:41 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:10:41 +0100 Subject: [Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally tomaskrizek commented: """ master: * adf8aabf10a57383aa6216625921503b83575757 Use GSS-SPNEGO if connecting locally """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284824403 From freeipa-github-notification at redhat.com Tue Mar 7 19:10:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:10:43 +0100 Subject: [Freeipa-devel] [freeipa PR#547][+pushed] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 7 19:10:44 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Mar 2017 20:10:44 +0100 Subject: [Freeipa-devel] [freeipa PR#547][closed] Use GSS-SPNEGO if connecting locally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/547 Author: simo5 Title: #547: Use GSS-SPNEGO if connecting locally Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/547/head:pr547 git checkout pr547 From freeipa-github-notification at redhat.com Tue Mar 7 21:02:39 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 07 Mar 2017 22:02:39 +0100 Subject: [Freeipa-devel] [freeipa PR#549][opened] T6601 certmap match Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: T6601 certmap match Action: opened PR body: """ WebUI: add support for certmap match command. PR contains also certmap rule patches from pullrequest #400 (I will rebase once #400 will be merged) because they are necessary. It also requires PRs #398 and #516. https://pagure.io/freeipa/issue/6601 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-549.patch Type: text/x-diff Size: 53138 bytes Desc: not available URL: From ftweedal at redhat.com Wed Mar 8 01:24:22 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 8 Mar 2017 11:24:22 +1000 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> <37f8b430-92d4-3ab2-69a2-1b96cbb5b75b@redhat.com> <20170220050353.GT3557@dhcp-40-8.bne.redhat.com> Message-ID: <20170308012422.GY6697@dhcp-40-8.bne.redhat.com> On Wed, Feb 22, 2017 at 10:17:32AM +0100, Martin Kosek wrote: > On 02/20/2017 06:03 AM, Fraser Tweedale wrote: > > On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote: > >> On 02/10/2017 10:37 AM, Fraser Tweedale wrote: > >>> On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: > >>>> On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > >>>>> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: > >>>>>> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > >>>>>>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > >>>>>>>> On ke, 08 helmi 2017, Martin Kosek wrote: > >>>>>>>>> Hi Fraser and the list, > >>>>>>>>> > >>>>>>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One > >>>>>>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will > >>>>>>>>> be used in the default OpenShift router for applications that do not deploy own > >>>>>>>>> certificates [1]. > >>>>>>>>> > >>>>>>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading > >>>>>>>>> some custom certificate profile in FreeIPA may let us get such certificate... > >>>>>>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in > >>>>>>>>> [2]? > >>>>>>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard > >>>>>>>> certificates to be issued: > >>>>>>>> > >>>>>>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal > >>>>>>>> specified in the request > >>>>>>>> > >>>>>>>> - we validate that host object exists in IPA when the Kerberos > >>>>>>>> principal is host/... > >>>>>>>> > >>>>>>>> We could lift off these two limitations for 'cn=*,$suffix' but there is > >>>>>>>> still a need to apply proper ACLs when issuing the cert -- e.g. some > >>>>>>>> object has to be used for performing access rights check. The wildcard > >>>>>>>> certificate does not need to be stored anywhere in the tree, but a > >>>>>>>> check still needs to be done. > >>>>>>>> > >>>>>>>> For example, for Kerberos PKINIT certificate which is issued to KDC we > >>>>>>>> don't store public certificate in LDAP either but we do two checks: > >>>>>>>> - a special KDC certificate profile is used to issue the cert > >>>>>>>> - a special hostname check is done so that only IPA masters are able to > >>>>>>>> request this certificate > >>>>>>>> > >>>>>>>> For the wildcard certificate I think we could have following: > >>>>>>>> - use a separate profile for the wildcard, associated with a sub-CA > >>>>>>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that > >>>>>>>> actual certificate ignores requested CN. > >>>>>>>> - a special check to be done so that only wildcard-based subject > >>>>>>>> alternative names can be added to a wildcard certificate request > >>>>>>>> - all Kerberos principal / hostname checks are skipped. > >>>>>>>> - actual ACL check is done by CA ACL. > >>>>>>>> > >>>>>>> Issuing wildcard certs is a deprecated practice[1]. I am not > >>>>>>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in > >>>>>>> general) but I'd like to have a discussion with them about how > >>>>>>> they're currently dealing with certs and whether a different > >>>>>>> direction other than wildcard certs is feasible. Martin, who should > >>>>>>> I reach out to? Feel free to copy them into this discussion. > >>>>>> > >>>>>> Right now, I am talking to a Solution Architect, i.e. someone who is building > >>>>>> GAed solutions, not developers. This is not something we would change > >>>>>> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. > >>>>>> > >>>>>> While I understand why having certificate *.lab.example.com and using it for my > >>>>>> lab machines is a bad idea and increases the attack vector, I do not see it > >>>>>> that way for OpenShift. There, applications get URL like > >>>>>> ".myopenshift.test" and all is routed by one entity, the OpenShift > >>>>>> broker. So the key.cert is on one location, just serving different names that > >>>>>> are provisioned with OpenShift. > >>>>>> > >>>>>> I can understand that issuing a new certificate for every application > >>>>>> provisioned by OpenShift and then renewing it complicates the design > >>>>>> significantly. I am trying to be creative and see if current OpenShift could > >>>>>> leverage FreeIPA CA and issue the broker cert, with current profile > >>>>>> capabilities or with small change. > >>>>>> > >>>>> I believe OpenShift supports per-application certificates (i.e. when > >>>>> app developers/maintainers supply their own cert for a custom > >>>>> domain). So it might be possible in v2 or v3 to provision a cert > >>>>> for every app. > >>>> > >>>> Right, it supports this. But then issuing the certificate and renewal is a > >>>> responsibility of app developer, AFAIK. I do not think if OpenShift has all the > >>>> needed hooks to do this automatically and call certmonger for example. > >>>> > >>>> TLDR; adding a support of certmonger and issuing a certificate for every new > >>>> application is a whole another degree of complexity than just issuing a > >>>> Wildcard certificate for the router. I am not saying it should not be done, I > >>>> am just saying that being able to generate a wildcard certificate with FreeIPA > >>>> would let us integrate with OpenShift much better than now and with (hopefully) > >>>> low effort involved, i.e. faster. > >>>> > >>>>> An automated solution does not yet exist but that > >>>>> doesn't mean it can't be built out of what's currently GA. > >>>>> > >>>>>>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 > >>>>>>> > >>>>>>> If we do go ahead with wildcard cert support in FreeIPA, some of my > >>>>>>> initial questions are: > >>>>>>> > >>>>>>> - For the OpenShift use case, what is the "parent" domain name and > >>>>>>> is it the same as the IPA domain name? Is it a subdomain of the > >>>>>>> IPA domain name? > >>>>>>> > >>>>>>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > >>>>>>> cert under entire IPA domain name. > >>>>>>> > >>>>>>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > >>>>>>> certs under names of IPA host principals. > >>>>>> > >>>>>> I do not know, but I can ask if it is important for you :-) > >>>>>> > >>>>> It's important to know what I actually need to do if we proceed with > >>>>> implementing this :) > >>>> > >>>> We do not need to jump on implementing it right away, you already have a lot on > >>>> your plate. Right now, I must just want to know: > >>>> > >>>> - is there any way how I can generate wildcard cert with current FreeIPA, using > >>>> a custom certificate profile. I assume the answer is no. > >>>> > >>> I have an idea. > >>> > >>> - Assume there exists a FreeIPA host `foo.example.com', the "parent" > >>> domain name for the desired wildcard name `*.foo.example.com'. > >>> > >>> - Create a profile with the config: > >>> > >>> policyset.serverCertSet..constraint.class_id=subjectNameConstraintImpl > >>> policyset.serverCertSet..constraint.name=Subject Name Constraint > >>> policyset.serverCertSet..constraint.params.accept=true > >>> policyset.serverCertSet..constraint.params.pattern=CN=[^,]+,.+ > >>> policyset.serverCertSet..default.class_id=subjectNameDefaultImpl > >>> policyset.serverCertSet..default.name=Subject Name Default > >>> policyset.serverCertSet..default.params.name=CN=*.$request.req_subject_name.cn$, o=EXAMPLE.COM > >>> > >>> - Set up CA ACLs to constrain use of this profile for issuance only > >>> to hosts for which a wildcard cert *under* their hostname is > >>> allowed. > >>> > >>> - Issue wildcard cert. > >>> > >>> I'm not 100% sure if that last directive from the snippet above is > >>> valid. Worth a shot. > >> > >> This is exactly what I was looking for, as a workaround! Do you think you would > >> be able to try it (not necessarily right now, but in several days)? Just so > >> that we know it would work. > >> > > It works. I wrote it up in a blog post: > > http://blog-ftweedal.rhcloud.com/2017/02/wildcard-certificates-in-freeipa/ > > I knew that will be a procedure like that! :-) Thanks for writing it down. > > >>>> - how complex would it be to add support of Wildcard certificate support to > >>>> FreeIPA (rough scope). > >>>> > >>> It really depends on the answers to my earlier questions :) Need to > >>> know *exactly* what is needed for OpenShift in terms of how the > >>> domain(s) to include in the cert relate to IPA domain or > >>> host/service principals defined therein. > >> > >> We should not make feature too specific to OpenShift anyway, so I do not think > >> the answers to these questions need to come from OpenShift, but rather from our > >> understanding of how to make this feature useful for FreeIPA users. > >> > >> But if you check OpenShift documentation: > >> https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates > >> you will see that the domain for the wildcard is configurable. So AFAIK, the > >> OpenShift may join a realm EXAMPLE.COM and have the wildcard cert for > >> '*.cloudapps.example.com. > >> > > After my exploration of what we can do with FreeIPA, I'd now be > > surprised if we need to do anything else at all, besides perhaps > > some official doc e.g. a KBase article. > > > > Please pass the info along and see if the OpenShift folks are happy > > with what they can do with a custom profile. > > I will definitely pass this information. > > As for any follow on FreeIPA side, I think it would be fine to add this > procedure as an official FreeIPA Howto, just to make sure it does not > disappear. I saw you linked it from > http://www.freeipa.org/page/HowTos > but I think it would make sense having this also on the official project wiki. > I copied my blog post to the wiki (and updated the HowTos index): https://www.freeipa.org/page/Howto/Wildcard_certificates Cheers, Fraser From jcholast at redhat.com Wed Mar 8 06:37:40 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Mar 2017 07:37:40 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <1488896045.16250.22.camel@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <1488379327.10234.17.camel@redhat.com> <1488382341.10234.26.camel@redhat.com> <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> <1488896045.16250.22.camel@redhat.com> Message-ID: <8efa348b-b783-5757-93e2-38d11286e4a6@redhat.com> On 7.3.2017 15:14, Simo Sorce wrote: > On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: >> On 03/06/2017 01:48 PM, Simo Sorce wrote: >>> On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >>>> On 03/02/2017 02:54 PM, Simo Sorce wrote: >>>>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >>>>>> In this case it would probably be a good idea to think about "forward >>>>>> compatibility" and define a new AUX objectclass bringing in >>>>>> 'ipaDomainResolutionOrder' instead of extending two separate >>>>>> objectclasses. In this way we may the just extend whathever object we >>>>>> desire to carry the override in an easy and clean way. >>>>> >>>>> I agree. >>>>> Simo. >>>>> >>>> >>>> Now the most difficult question remains... How to name this objectclass. >>>> I personally am out of ideas but will try my best to come up with >>>> something meaningful. >>> >>> Try to describe what the option ultimately does with as few words as >>> possible. >>> >>> Simo. >>> >>> >> >> I was thinking about this and since we are performing name qualification >> (short-name -> fully-qualified name incl. domain/realm part), I would >> like to propose the following naming schema: >> >> objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used >> for short name qualification data' SUP top AUXILIARY MAY >> (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) >> >> attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC >> 'List of domains used to qualify user short name' EQUALITY >> caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> X-ORIGIN 'IPA v4.5' ) >> >> Let me know if you are ok with this or am I overengineering the names? >> >> I would like to solve this quickly so that I can finish the design and >> start implementation. > > I was thinking that we can use acronyms here to make it less of a > mouthful and also more easily recognizable: > My idea is: > - ipaNameQualificationData -> ipaFQDNPolicies > - ipaNameQualificationDomainList -> ipaFQDNCheckOrder TBH I liked ipaDomainResolutionOrder the best, both ipaNameQualificationDomainList and ipaFQDNCheckOrder sound overengineered to me :-) If ipaDomainResolutionOrder is not good enough, we could draw some inspiration from resolv.conf and use e.g. ipaDomainSearchList. -- Jan Cholasta From mbabinsk at redhat.com Wed Mar 8 07:18:17 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 8 Mar 2017 08:18:17 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <8efa348b-b783-5757-93e2-38d11286e4a6@redhat.com> References: <1488384292.10234.35.camel@redhat.com> <1488387086.10234.41.camel@redhat.com> <1374aa71-8e1a-73db-94a1-6af26789c2ed@redhat.com> <1488462844.10234.64.camel@redhat.com> <661d804b-6e13-a15d-9599-4020be54bd64@redhat.com> <1488804520.10234.108.camel@redhat.com> <028e3ef1-a022-e9c2-1368-d645a453555a@redhat.com> <1488896045.16250.22.camel@redhat.com> <8efa348b-b783-5757-93e2-38d11286e4a6@redhat.com> Message-ID: <20170308071816.GD26633@dhcp129-180.brq.redhat.com> On Wed, Mar 08, 2017 at 07:37:40AM +0100, Jan Cholasta wrote: >On 7.3.2017 15:14, Simo Sorce wrote: >> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: >> > On 03/06/2017 01:48 PM, Simo Sorce wrote: >> > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: >> > > > On 03/02/2017 02:54 PM, Simo Sorce wrote: >> > > > > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: >> > > > > > In this case it would probably be a good idea to think about "forward >> > > > > > compatibility" and define a new AUX objectclass bringing in >> > > > > > 'ipaDomainResolutionOrder' instead of extending two separate >> > > > > > objectclasses. In this way we may the just extend whathever object we >> > > > > > desire to carry the override in an easy and clean way. >> > > > > >> > > > > I agree. >> > > > > Simo. >> > > > > >> > > > >> > > > Now the most difficult question remains... How to name this objectclass. >> > > > I personally am out of ideas but will try my best to come up with >> > > > something meaningful. >> > > >> > > Try to describe what the option ultimately does with as few words as >> > > possible. >> > > >> > > Simo. >> > > >> > > >> > >> > I was thinking about this and since we are performing name qualification >> > (short-name -> fully-qualified name incl. domain/realm part), I would >> > like to propose the following naming schema: >> > >> > objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used >> > for short name qualification data' SUP top AUXILIARY MAY >> > (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' ) >> > >> > attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC >> > 'List of domains used to qualify user short name' EQUALITY >> > caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> > X-ORIGIN 'IPA v4.5' ) >> > >> > Let me know if you are ok with this or am I overengineering the names? >> > >> > I would like to solve this quickly so that I can finish the design and >> > start implementation. >> >> I was thinking that we can use acronyms here to make it less of a >> mouthful and also more easily recognizable: >> My idea is: >> - ipaNameQualificationData -> ipaFQDNPolicies >> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder > >TBH I liked ipaDomainResolutionOrder the best, both >ipaNameQualificationDomainList and ipaFQDNCheckOrder sound overengineered to >me :-) > >If ipaDomainResolutionOrder is not good enough, we could draw some >inspiration from resolv.conf and use e.g. ipaDomainSearchList. > >-- >Jan Cholasta Sigh, naming stuff is always the hardest path. As a compromise let's settle with the following: * objectclass: ipaNameResolutionData * attribute: ipaDomainSearchList I will use these to update the design page. You can the objet during another phase of review process. -- Martin Babinsky From freeipa-github-notification at redhat.com Wed Mar 8 08:04:35 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 09:04:35 +0100 Subject: [Freeipa-devel] [freeipa PR#549][edited] T6601 certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: T6601 certmap match Action: edited Changed field: title Original value: """ T6601 certmap match """ From freeipa-github-notification at redhat.com Wed Mar 8 08:21:38 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Wed, 08 Mar 2017 09:21:38 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card sumit-bose commented: """ I agree, it would be good if the help text can mention that cached data is used and maybe even mention the sss_cache utility to invalidate the entry. If the doc team can add this to the official documentation it would be even better. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284976922 From freeipa-github-notification at redhat.com Wed Mar 8 08:28:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 09:28:30 +0100 Subject: [Freeipa-devel] [freeipa PR#550][opened] install: fix help Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Author: HonzaCholasta Title: #550: install: fix help Action: opened PR body: """ This PR fixes the known issue in the installer refactoring PR #232 and concludes https://pagure.io/freeipa/issue/6392. **server install: remove duplicate -w option** Remove duplicate -w alias of --admin-password in ipa-server-install and ipa-replica-install. **install: add missing space in realm_name description** **server install: remove duplicate knob definitions** Remove duplicate definitions of knobs already defined in client install. **client install: split off SSSD options into a separate class** Split off SSSD knob definitions from the ClientInstallInterface class into a new SSSDInstallInterface class. **install CLI: remove magic option groups** Do not automatically create the "basic options" and "uninstall options" option groups in the CLI code. **install: re-introduce option groups** Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/550/head:pr550 git checkout pr550 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-550.patch Type: text/x-diff Size: 41917 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 08:41:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 09:41:38 +0100 Subject: [Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled HonzaCholasta commented: """ Nitpick: the "install_check" prefix in the subject does not say anything, there are currently 7 `install_check`s in IPA. Please use something more descriptive, such as "server install". """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecomment-284980994 From freeipa-github-notification at redhat.com Wed Mar 8 08:55:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 09:55:15 +0100 Subject: [Freeipa-devel] [freeipa PR#548][comment] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Title: #548: ipa-server-install: add --setup-kra option HonzaCholasta commented: """ NACK on the "KRA: run install and install_check only when KRA should be installed" commit. The end goal for all component installers is to make them isolated and handle their options themselves, so that they can be packaged separately (among other things). This commit takes the code in the opposite direction. Also it does not make the code more readable because it is inconsistent with the CA installer. """ See the full comment at https://github.com/freeipa/freeipa/pull/548#issuecomment-284983950 From freeipa-github-notification at redhat.com Wed Mar 8 08:55:22 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 09:55:22 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card dkupka commented: """ @sumit-bose I agree. If this is in help text we can also display it in WebUI. @flo-renaud Please add description and explanation of this behaviour into __doc__ for certmap_match. Otherwise the pull request looks good to me and works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-284983978 From freeipa-github-notification at redhat.com Wed Mar 8 08:59:47 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 09:59:47 +0100 Subject: [Freeipa-devel] [freeipa PR#400][+ack] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 09:03:34 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 10:03:34 +0100 Subject: [Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: WebUI: certmap match Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-549.patch Type: text/x-diff Size: 53161 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 09:06:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 10:06:54 +0100 Subject: [Freeipa-devel] [freeipa PR#529][synchronized] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Author: tomaskrizek Title: #529: installer: update time estimates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/529/head:pr529 git checkout pr529 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-529.patch Type: text/x-diff Size: 6083 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 09:08:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 10:08:49 +0100 Subject: [Freeipa-devel] [freeipa PR#545][synchronized] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Author: tomaskrizek Title: #545: install_check: require IPv6 stack to be enabled Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/545/head:pr545 git checkout pr545 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-545.patch Type: text/x-diff Size: 3764 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 09:15:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 10:15:31 +0100 Subject: [Freeipa-devel] [freeipa PR#400][+pushed] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 09:15:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 10:15:33 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping tomaskrizek commented: """ master: * 27027bbc9cf7faa29c3c94686635559cbcbde98a WebUI: Add possibility to set field always writable * fba318b83337b71ccb3421690071a130171fbdfe WebUI: Create non editable row widget for mutlivalued widget * d3700275c1b63aeeab13c7dd9e09249bc2c8e4d7 WebUI: Add Custom command multivalued adder dialog * 19426f32ff99feb7c64a4174728cd2b6b946a49a WebUI: Add certmap module """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-284988307 From freeipa-github-notification at redhat.com Wed Mar 8 09:15:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 10:15:34 +0100 Subject: [Freeipa-devel] [freeipa PR#400][closed] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 From freeipa-github-notification at redhat.com Wed Mar 8 09:16:50 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 10:16:50 +0100 Subject: [Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: WebUI: certmap match Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-549.patch Type: text/x-diff Size: 23699 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 09:21:58 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 10:21:58 +0100 Subject: [Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match pvomacka commented: """ Rebased. PR #400 already merged. """ See the full comment at https://github.com/freeipa/freeipa/pull/549#issuecomment-284989778 From mbabinsk at redhat.com Wed Mar 8 09:30:18 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 8 Mar 2017 10:30:18 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> Message-ID: <20170308093017.GE26633@dhcp129-180.brq.redhat.com> On Tue, Feb 28, 2017 at 01:29:50PM +0100, Martin Babinsky wrote: >Hello list, > >I have put together a draft of design page describing server-side >implementation of user short name -> fully-qualified name resolution.[1] > >In the end I have taken the liberty to change a few aspects of the design we >have agreed on before and I will be grad if we can discuss them further. > >Me and Honza have discussed the object that should hold the domain resolution >order and given the fact that IPA domain can also be a part of this list, we >have decided that this information is no longer bound to trust configuration >and should be a part of the global config instead. > >Also we have purposefully cut down the API only to a raw manipulation of the >attribute using an option of `ipa config-mod`. The reasons for this are >twofold: > > * the developer resources are quite scarce and it may be good to follow >YAGNI[2] principle to implement the dumbest API now and not to invest into >more high-level interface unless there is a demand for it > > * we can imagine that the manipulation of the domain resolution order is a >rare operation (ideally only once all trusts are established), so I am not >convinced that it is worth investing into designing higher-level API > >I propose we first develop the "dumber" parts first to unblock the SSSD part. >If we have spare cycle afterwards then we can design and implement more >bells-and-whistles afterwards. > >[1] https://www.freeipa.org/page/V4/AD_User_Short_Names >[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it > >-- >Martin^3 Babinsky > >-- >Manage your subscription for the Freeipa-devel mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-devel >Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code I have updated the design page[1] and incorporated most of the comments from all reviewers. The most dramatic change is that I have expanded the discussion by the possibility for overriding global domain resolution order by ID view-specific settings. I have also expanded How-To section accordingly. Please try to review and comment during today as the window for development is quickly closing. [1] http://www.freeipa.org/page/V4/AD_User_Short_Names -- Martin Babinsky From freeipa-github-notification at redhat.com Wed Mar 8 09:47:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 10:47:41 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ I would rather make things simple and remove the abstraction. We can support NSS databases by PKCS#12 export/import until we have first-class support: 1. generate private key and temporary cert in the NSS database: `certutil -S ...` 2. export the private key from the NSS database into a temporary PKCS#12 file: `pk12util -o key.p12 ...` 3. delete the temporary cert from the NSS database: `certutil -D ...` 4. extract the private key from the temporary PKCS#12 file into a temporary PKCS#8 file: `openssl pkcs12 -in key.p12 -nocerts -out key.pem ...` 5. delete the temporary PKCS#12 file 6. request a certificate using the OpenSSL workflow on the temporary PKCS#8 file 7. import the certificate into the NSS database Granted, this won't work with HSMs, but I think that's OK, given it is only a temporary solution. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-284995622 From jcholast at redhat.com Wed Mar 8 10:02:15 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Mar 2017 11:02:15 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <20170308093017.GE26633@dhcp129-180.brq.redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> <20170308093017.GE26633@dhcp129-180.brq.redhat.com> Message-ID: <2c451882-0bdb-0b30-e8ce-7b7ed146889e@redhat.com> On 8.3.2017 10:30, Martin Babinsky wrote: > On Tue, Feb 28, 2017 at 01:29:50PM +0100, Martin Babinsky wrote: >> Hello list, >> >> I have put together a draft of design page describing server-side >> implementation of user short name -> fully-qualified name resolution.[1] >> >> In the end I have taken the liberty to change a few aspects of the design we >> have agreed on before and I will be grad if we can discuss them further. >> >> Me and Honza have discussed the object that should hold the domain resolution >> order and given the fact that IPA domain can also be a part of this list, we >> have decided that this information is no longer bound to trust configuration >> and should be a part of the global config instead. >> >> Also we have purposefully cut down the API only to a raw manipulation of the >> attribute using an option of `ipa config-mod`. The reasons for this are >> twofold: >> >> * the developer resources are quite scarce and it may be good to follow >> YAGNI[2] principle to implement the dumbest API now and not to invest into >> more high-level interface unless there is a demand for it >> >> * we can imagine that the manipulation of the domain resolution order is a >> rare operation (ideally only once all trusts are established), so I am not >> convinced that it is worth investing into designing higher-level API >> >> I propose we first develop the "dumber" parts first to unblock the SSSD part. >> If we have spare cycle afterwards then we can design and implement more >> bells-and-whistles afterwards. >> >> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names >> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > I have updated the design page[1] and incorporated most of the comments from all > reviewers. The most dramatic change is that I have expanded the discussion by > the possibility for overriding global domain resolution order by ID > view-specific settings. I have also expanded How-To section accordingly. > > Please try to review and comment during today as the window for development is > quickly closing. LGTM. > > [1] http://www.freeipa.org/page/V4/AD_User_Short_Names > -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Mar 8 10:16:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 11:16:17 +0100 Subject: [Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-492.patch Type: text/x-diff Size: 21617 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 10:17:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 11:17:36 +0100 Subject: [Freeipa-devel] [freeipa PR#490][edited] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: edited Changed field: title Original value: """ [WIP] certdb: use certutil and match_hostname for cert verification """ From freeipa-github-notification at redhat.com Wed Mar 8 10:18:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 11:18:06 +0100 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification HonzaCholasta commented: """ I think this PR is ready now. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-285002490 From freeipa-github-notification at redhat.com Wed Mar 8 10:20:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 11:20:42 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults HonzaCholasta commented: """ I took the hard way and removed the URI argument from `ldap2.__init__()`. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-285003106 From freeipa-github-notification at redhat.com Wed Mar 8 10:45:43 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Mar 2017 11:45:43 +0100 Subject: [Freeipa-devel] [freeipa PR#551][opened] config: re-add `init_config` and `config` Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Author: HonzaCholasta Title: #551: config: re-add `init_config` and `config` Action: opened PR body: """ Re-add `init_config` and `config` to `ipapython.config`, because they are used by Ipsilon (see https://pagure.io/ipsilon/issue/265). This partially reverts commit 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9. https://pagure.io/freeipa/issue/6707 This supersedes PR #515. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/551/head:pr551 git checkout pr551 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-551.patch Type: text/x-diff Size: 6197 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 11:24:35 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 12:24:35 +0100 Subject: [Freeipa-devel] [freeipa PR#331][synchronized] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Author: pvomacka Title: #331: WebUI: don't change casing of Auth Indicators values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/331/head:pr331 git checkout pr331 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-331.patch Type: text/x-diff Size: 4377 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 11:24:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 12:24:40 +0100 Subject: [Freeipa-devel] [freeipa PR#420][synchronized] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Author: martbab Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/420/head:pr420 git checkout pr420 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-420.patch Type: text/x-diff Size: 5507 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 11:41:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 12:41:58 +0100 Subject: [Freeipa-devel] [freeipa PR#548][synchronized] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Author: MartinBasti Title: #548: ipa-server-install: add --setup-kra option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/548/head:pr548 git checkout pr548 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-548.patch Type: text/x-diff Size: 7053 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 11:45:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 12:45:11 +0100 Subject: [Freeipa-devel] [freeipa PR#548][comment] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Title: #548: ipa-server-install: add --setup-kra option MartinBasti commented: """ Given that there is no time, I dropped commit you NACKed as it unneeded for this PR, but please note my disagreement about a way how `kra.py` handles `--setup-kra` option for the future release. """ See the full comment at https://github.com/freeipa/freeipa/pull/548#issuecomment-285020252 From freeipa-github-notification at redhat.com Wed Mar 8 11:52:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 12:52:31 +0100 Subject: [Freeipa-devel] [freeipa PR#552][opened] man: add missing --setup-adtrust option to manpage Message-ID: URL: https://github.com/freeipa/freeipa/pull/552 Author: MartinBasti Title: #552: man: add missing --setup-adtrust option to manpage Action: opened PR body: """ ipa-server-install and ipa-replica-install manpages miss --setup-adtrust options https://pagure.io/freeipa/issue/6630 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/552/head:pr552 git checkout pr552 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-552.patch Type: text/x-diff Size: 1638 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 11:57:37 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 12:57:37 +0100 Subject: [Freeipa-devel] [freeipa PR#552][+ack] man: add missing --setup-adtrust option to manpage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/552 Title: #552: man: add missing --setup-adtrust option to manpage Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 11:58:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 12:58:21 +0100 Subject: [Freeipa-devel] [freeipa PR#552][+pushed] man: add missing --setup-adtrust option to manpage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/552 Title: #552: man: add missing --setup-adtrust option to manpage Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 11:58:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 12:58:22 +0100 Subject: [Freeipa-devel] [freeipa PR#552][comment] man: add missing --setup-adtrust option to manpage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/552 Title: #552: man: add missing --setup-adtrust option to manpage martbab commented: """ master: * 6c95f33d37a2c346fc56d9890d594f1e40029c77 man: add missing --setup-adtrust option to manpage """ See the full comment at https://github.com/freeipa/freeipa/pull/552#issuecomment-285022594 From freeipa-github-notification at redhat.com Wed Mar 8 11:58:25 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 12:58:25 +0100 Subject: [Freeipa-devel] [freeipa PR#552][closed] man: add missing --setup-adtrust option to manpage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/552 Author: MartinBasti Title: #552: man: add missing --setup-adtrust option to manpage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/552/head:pr552 git checkout pr552 From freeipa-github-notification at redhat.com Wed Mar 8 12:11:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 13:11:10 +0100 Subject: [Freeipa-devel] [freeipa PR#553][opened] Add check for removing last KRA server Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: opened PR body: """ This patchset adds a check for removal of a last KRA server + adds a message about there only being one KRA to WebUI. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-553.patch Type: text/x-diff Size: 6619 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 12:11:36 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 13:11:36 +0100 Subject: [Freeipa-devel] [freeipa PR#300][synchronized] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Author: pvomacka Title: #300: WebUI: Add support for custom table pagination size Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/300/head:pr300 git checkout pr300 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-300.patch Type: text/x-diff Size: 13614 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 12:12:07 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 13:12:07 +0100 Subject: [Freeipa-devel] [freeipa PR#300][comment] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Title: #300: WebUI: Add support for custom table pagination size pvomacka commented: """ @pvoborni Thank you for review. Proposed changes fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/300#issuecomment-285025154 From freeipa-github-notification at redhat.com Wed Mar 8 12:13:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 13:13:51 +0100 Subject: [Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: WebUI: certmap match Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-549.patch Type: text/x-diff Size: 23696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 12:15:00 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 13:15:00 +0100 Subject: [Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match pvomacka commented: """ In last sync I changed string of clear button title. """ See the full comment at https://github.com/freeipa/freeipa/pull/549#issuecomment-285025740 From freeipa-github-notification at redhat.com Wed Mar 8 12:44:19 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 08 Mar 2017 13:44:19 +0100 Subject: [Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-516.patch Type: text/x-diff Size: 8962 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 12:45:46 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 08 Mar 2017 13:45:46 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ @dkupka I added the following explanation in the doc for certmap_match: """ Search for users matching the provided certificate. This command relies on SSSD to retrieve the list of matching users and may return cached data. For more information on purging SSSD cache, please refer to sss_cache documentation. """ """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-285031435 From freeipa-github-notification at redhat.com Wed Mar 8 12:51:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 13:51:19 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server stlaz commented: """ Hm, I forgot that KRA is the only IPA component that has a standalone uninstaller, this is therefore only a partial fix. """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285032496 From freeipa-github-notification at redhat.com Wed Mar 8 12:54:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 13:54:44 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server MartinBasti commented: """ @stlaz I wrote it to ticket """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285033127 From freeipa-github-notification at redhat.com Wed Mar 8 13:22:44 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:22:44 +0100 Subject: [Freeipa-devel] [freeipa PR#300][+ack] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Title: #300: WebUI: Add support for custom table pagination size Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 13:41:13 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:41:13 +0100 Subject: [Freeipa-devel] [freeipa PR#554][opened] webui: fixes normalization of value in attributes widget Message-ID: URL: https://github.com/freeipa/freeipa/pull/554 Author: pvoborni Title: #554: webui: fixes normalization of value in attributes widget Action: opened PR body: """ Fix is in checkboxes widget but the only affected one is attributes widget. Reproduction: 1. Add permission with attribute with uppercase character $ ipa permission-add aa_test --type=stageuser --attrs=businessCategory --right=read 2. Check if it is correctly displayed in Web UI Actual result: - businesscategory is not checked Expected result: - businesscategory is checked """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/554/head:pr554 git checkout pr554 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-554.patch Type: text/x-diff Size: 1146 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 13:42:18 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:42:18 +0100 Subject: [Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values pvoborni commented: """ ACK but I've find out that the change is not enough because of existing bug. See pr #554 """ See the full comment at https://github.com/freeipa/freeipa/pull/331#issuecomment-285043268 From freeipa-github-notification at redhat.com Wed Mar 8 13:42:27 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:42:27 +0100 Subject: [Freeipa-devel] [freeipa PR#331][+ack] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 13:48:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 14:48:32 +0100 Subject: [Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-553.patch Type: text/x-diff Size: 11760 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 13:49:06 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 14:49:06 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server stlaz commented: """ @MartinBasti ah, sorry, I completely overlooked it. The current PR version implements your suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285044830 From freeipa-github-notification at redhat.com Wed Mar 8 13:50:04 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:50:04 +0100 Subject: [Freeipa-devel] [freeipa PR#310][+postponed] WIP: CLI testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/310 Title: #310: WIP: CLI testing Label: +postponed From freeipa-github-notification at redhat.com Wed Mar 8 13:50:11 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 14:50:11 +0100 Subject: [Freeipa-devel] [freeipa PR#310][comment] WIP: CLI testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/310 Title: #310: WIP: CLI testing pvoborni commented: """ Marking as postponed. We cannot expect the changes to be addressed by @mirielka any time soon. And CLI testing might need design discussion. """ See the full comment at https://github.com/freeipa/freeipa/pull/310#issuecomment-285045089 From freeipa-github-notification at redhat.com Wed Mar 8 13:55:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 14:55:16 +0100 Subject: [Freeipa-devel] [freeipa PR#300][+pushed] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Title: #300: WebUI: Add support for custom table pagination size Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 13:55:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 14:55:18 +0100 Subject: [Freeipa-devel] [freeipa PR#300][comment] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Title: #300: WebUI: Add support for custom table pagination size martbab commented: """ master: * 7b699105a52d4d8c26a73044ba182d752b4a9833 Add javascript integer validator * f78cc8932626de667c6e3a4461141a10a5d9c2e6 Make singleton from config module * e1dfc51e48050ac1ad431d56003dc26e17ca653e Add support for custom table pagination size """ See the full comment at https://github.com/freeipa/freeipa/pull/300#issuecomment-285046345 From freeipa-github-notification at redhat.com Wed Mar 8 13:55:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 14:55:21 +0100 Subject: [Freeipa-devel] [freeipa PR#300][closed] WebUI: Add support for custom table pagination size In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Author: pvomacka Title: #300: WebUI: Add support for custom table pagination size Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/300/head:pr300 git checkout pr300 From freeipa-github-notification at redhat.com Wed Mar 8 14:05:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 15:05:26 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-285048889 From freeipa-github-notification at redhat.com Wed Mar 8 14:08:28 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:08:28 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card dkupka commented: """ @flo-renaud Thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-285049667 From freeipa-github-notification at redhat.com Wed Mar 8 14:08:35 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:08:35 +0100 Subject: [Freeipa-devel] [freeipa PR#516][+ack] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:09:03 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:09:03 +0100 Subject: [Freeipa-devel] [freeipa PR#516][+pushed] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:09:04 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:09:04 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card dkupka commented: """ master: * ea34e17a46a60efb9c4dc81dab919a1639dec73b IdM Server: list all Employees with matching Smart Card """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-285049801 From freeipa-github-notification at redhat.com Wed Mar 8 14:09:06 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:09:06 +0100 Subject: [Freeipa-devel] [freeipa PR#516][closed] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 From freeipa-github-notification at redhat.com Wed Mar 8 14:11:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 15:11:30 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server MartinBasti commented: """ Please create a separate commit for KRA Uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285050412 From freeipa-github-notification at redhat.com Wed Mar 8 14:25:33 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 15:25:33 +0100 Subject: [Freeipa-devel] [freeipa PR#554][+ack] webui: fixes normalization of value in attributes widget In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/554 Title: #554: webui: fixes normalization of value in attributes widget Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:29:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 15:29:17 +0100 Subject: [Freeipa-devel] [freeipa PR#505][+ack] dns: fix `dnsrecord_add` interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/505 Title: #505: dns: fix `dnsrecord_add` interactive mode Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:40:05 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 08 Mar 2017 15:40:05 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals abbra commented: """ Thanks. LGTM and works for me with IPA user, IPA host principal, and AD user. The latter cannot yet actually use Web UI but that is a separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-285058056 From freeipa-github-notification at redhat.com Wed Mar 8 14:40:31 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 08 Mar 2017 15:40:31 +0100 Subject: [Freeipa-devel] [freeipa PR#420][+ack] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:41:45 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:41:45 +0100 Subject: [Freeipa-devel] [freeipa PR#554][+pushed] webui: fixes normalization of value in attributes widget In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/554 Title: #554: webui: fixes normalization of value in attributes widget Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:41:46 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:41:46 +0100 Subject: [Freeipa-devel] [freeipa PR#554][comment] webui: fixes normalization of value in attributes widget In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/554 Title: #554: webui: fixes normalization of value in attributes widget dkupka commented: """ master: * 56a2642af0a29328df4defef138b9fa65624335a webui: fixes normalization of value in attributes widget """ See the full comment at https://github.com/freeipa/freeipa/pull/554#issuecomment-285058484 From freeipa-github-notification at redhat.com Wed Mar 8 14:41:48 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:41:48 +0100 Subject: [Freeipa-devel] [freeipa PR#554][closed] webui: fixes normalization of value in attributes widget In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/554 Author: pvoborni Title: #554: webui: fixes normalization of value in attributes widget Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/554/head:pr554 git checkout pr554 From freeipa-github-notification at redhat.com Wed Mar 8 14:43:36 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:43:36 +0100 Subject: [Freeipa-devel] [freeipa PR#331][+pushed] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:43:38 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:43:38 +0100 Subject: [Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values dkupka commented: """ master: * 0220fc8986e4fef017185bde675dc9cf0f90afd8 WebUI: Allow disabling lowering text in custom_checkbox_widget * ad3451067ad474ea52872913d6789b1652f9a9c4 WebUI: don't change casing of Auth Indicators values """ See the full comment at https://github.com/freeipa/freeipa/pull/331#issuecomment-285058994 From freeipa-github-notification at redhat.com Wed Mar 8 14:43:40 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:43:40 +0100 Subject: [Freeipa-devel] [freeipa PR#331][closed] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Author: pvomacka Title: #331: WebUI: don't change casing of Auth Indicators values Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/331/head:pr331 git checkout pr331 From freeipa-github-notification at redhat.com Wed Mar 8 14:43:48 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 15:43:48 +0100 Subject: [Freeipa-devel] [freeipa PR#548][+ack] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Title: #548: ipa-server-install: add --setup-kra option Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:50:58 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:50:58 +0100 Subject: [Freeipa-devel] [freeipa PR#548][+pushed] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Title: #548: ipa-server-install: add --setup-kra option Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:50:59 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:50:59 +0100 Subject: [Freeipa-devel] [freeipa PR#548][comment] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Title: #548: ipa-server-install: add --setup-kra option dkupka commented: """ master: * 4006cbbc02c368ac9e5e3721613158decb34fd37 KRA: add --setup-kra to ipa-server-install * 25fa2bb6c9fa1b498330b13c9a6116b646eb75ba tests: use --setup-kra in tests """ See the full comment at https://github.com/freeipa/freeipa/pull/548#issuecomment-285061152 From freeipa-github-notification at redhat.com Wed Mar 8 14:51:01 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:51:01 +0100 Subject: [Freeipa-devel] [freeipa PR#548][closed] ipa-server-install: add --setup-kra option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/548 Author: MartinBasti Title: #548: ipa-server-install: add --setup-kra option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/548/head:pr548 git checkout pr548 From freeipa-github-notification at redhat.com Wed Mar 8 14:51:21 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 15:51:21 +0100 Subject: [Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: WebUI: certmap match Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-549.patch Type: text/x-diff Size: 23695 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 14:52:22 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 08 Mar 2017 15:52:22 +0100 Subject: [Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match pvomacka commented: """ @pvoborni Yes, we should make a lint rule for leading spaces. """ See the full comment at https://github.com/freeipa/freeipa/pull/549#issuecomment-285061561 From freeipa-github-notification at redhat.com Wed Mar 8 14:53:07 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:53:07 +0100 Subject: [Freeipa-devel] [freeipa PR#505][+pushed] dns: fix `dnsrecord_add` interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/505 Title: #505: dns: fix `dnsrecord_add` interactive mode Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:53:09 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:53:09 +0100 Subject: [Freeipa-devel] [freeipa PR#505][comment] dns: fix `dnsrecord_add` interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/505 Title: #505: dns: fix `dnsrecord_add` interactive mode dkupka commented: """ master: * 1e912f5b83166154806e0382f3f028d0eac81731 dns: fix `dnsrecord_add` interactive mode """ See the full comment at https://github.com/freeipa/freeipa/pull/505#issuecomment-285061777 From freeipa-github-notification at redhat.com Wed Mar 8 14:53:10 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:53:10 +0100 Subject: [Freeipa-devel] [freeipa PR#505][closed] dns: fix `dnsrecord_add` interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/505 Author: HonzaCholasta Title: #505: dns: fix `dnsrecord_add` interactive mode Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/505/head:pr505 git checkout pr505 From freeipa-github-notification at redhat.com Wed Mar 8 14:53:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 15:53:25 +0100 Subject: [Freeipa-devel] [freeipa PR#534][+ack] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:56:19 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 15:56:19 +0100 Subject: [Freeipa-devel] [freeipa PR#549][+ack] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 14:56:37 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:56:37 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals dkupka commented: """ master: * f8d7e37a091c1df4c989b80b8d19e12ab35533c8 Allow login to WebUI using Kerberos aliases/enterprise principals """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-285062778 From freeipa-github-notification at redhat.com Wed Mar 8 14:56:39 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:56:39 +0100 Subject: [Freeipa-devel] [freeipa PR#420][closed] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Author: martbab Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/420/head:pr420 git checkout pr420 From freeipa-github-notification at redhat.com Wed Mar 8 14:56:40 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:56:40 +0100 Subject: [Freeipa-devel] [freeipa PR#420][+pushed] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:57:05 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Mar 2017 15:57:05 +0100 Subject: [Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match pvoborni commented: """ But let's wait with pushing for travis, to be sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/549#issuecomment-285062900 From freeipa-github-notification at redhat.com Wed Mar 8 14:57:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 15:57:09 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command stlaz commented: """ I believe that in CLI `ipa whoami` should actually output the output of the command it found with the arguments and options it found since in WebUI this is eventually done as well. I can go ahead and try to implement it if we can agree on such behavior. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285062912 From freeipa-github-notification at redhat.com Wed Mar 8 14:59:50 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:59:50 +0100 Subject: [Freeipa-devel] [freeipa PR#534][+pushed] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 14:59:51 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:59:51 +0100 Subject: [Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Title: #534: Move csrgen templates into ipaclient package dkupka commented: """ master: * 80be18162921268be9c8981495c9e8a4de0c85cd Move csrgen templates into ipaclient package * 177f07e163d6d591a1e609d35e0a6f6f5347551e Chain CSR generator file loaders """ See the full comment at https://github.com/freeipa/freeipa/pull/534#issuecomment-285063710 From freeipa-github-notification at redhat.com Wed Mar 8 14:59:53 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 15:59:53 +0100 Subject: [Freeipa-devel] [freeipa PR#534][closed] Move csrgen templates into ipaclient package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/534 Author: tiran Title: #534: Move csrgen templates into ipaclient package Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/534/head:pr534 git checkout pr534 From freeipa-github-notification at redhat.com Wed Mar 8 14:59:54 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 08 Mar 2017 15:59:54 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Uhm, no, I don't want that. It makes the command behaving differently depending on a context and that would be broken. For client-side plugin that would also be an abuse of interface, I'd say. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285063732 From freeipa-github-notification at redhat.com Wed Mar 8 15:04:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 16:04:25 +0100 Subject: [Freeipa-devel] [freeipa PR#551][comment] config: re-add `init_config` and `config` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Title: #551: config: re-add `init_config` and `config` MartinBasti commented: """ Works for me I was able to install Ipsilon using this: https://ipsilon-project.org/doc/quickstart-ipa.html """ See the full comment at https://github.com/freeipa/freeipa/pull/551#issuecomment-285065144 From freeipa-github-notification at redhat.com Wed Mar 8 15:04:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 16:04:50 +0100 Subject: [Freeipa-devel] [freeipa PR#551][+ack] config: re-add `init_config` and `config` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Title: #551: config: re-add `init_config` and `config` Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 15:09:00 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:09:00 +0100 Subject: [Freeipa-devel] [freeipa PR#551][+pushed] config: re-add `init_config` and `config` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Title: #551: config: re-add `init_config` and `config` Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 15:09:02 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:09:02 +0100 Subject: [Freeipa-devel] [freeipa PR#551][comment] config: re-add `init_config` and `config` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Title: #551: config: re-add `init_config` and `config` dkupka commented: """ master: * 0c7ca279c78bc23d45582e92bb1638865ec3059e config: re-add `init_config` and `config` """ See the full comment at https://github.com/freeipa/freeipa/pull/551#issuecomment-285066448 From freeipa-github-notification at redhat.com Wed Mar 8 15:09:11 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:09:11 +0100 Subject: [Freeipa-devel] [freeipa PR#551][closed] config: re-add `init_config` and `config` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/551 Author: HonzaCholasta Title: #551: config: re-add `init_config` and `config` Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/551/head:pr551 git checkout pr551 From freeipa-github-notification at redhat.com Wed Mar 8 15:22:41 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:22:41 +0100 Subject: [Freeipa-devel] [freeipa PR#549][+pushed] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 8 15:22:42 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:22:42 +0100 Subject: [Freeipa-devel] [freeipa PR#549][closed] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Author: pvomacka Title: #549: WebUI: certmap match Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/549/head:pr549 git checkout pr549 From freeipa-github-notification at redhat.com Wed Mar 8 15:22:44 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 08 Mar 2017 16:22:44 +0100 Subject: [Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match dkupka commented: """ master: * 6be32edde0ae16473d4d109747adae78f9d725e4 WebUI: Add possibility to turn of autoload when details.load is called * 1d6cc35c03669ea67d9e9ee9ca0ff62401d1b157 WebUI: Possibility to choose object when API call returns list of objects * 358caa7da44c997b505f54ec70cb6be58d188751 WebUI: Add Adapter for certmap_match result table * 61cd4372e142662c06c881886709fe1b573102a9 WebUI: Add cermapmatch module """ See the full comment at https://github.com/freeipa/freeipa/pull/549#issuecomment-285070442 From freeipa-github-notification at redhat.com Wed Mar 8 15:23:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 16:23:41 +0100 Subject: [Freeipa-devel] [freeipa PR#555][opened] ipa-managed-entries: use server-mode API Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Author: martbab Title: #555: ipa-managed-entries: use server-mode API Action: opened PR body: """ During LDAP connection management refactoring the ad-hoc ldap connection in `ipa-managed-entries` was replaced by calls to ldap2 backend without updating API initialization. https://pagure.io/freeipa/issue/6735 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/555/head:pr555 git checkout pr555 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-555.patch Type: text/x-diff Size: 1157 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 15:32:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 16:32:02 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command stlaz commented: """ Ok. It just doesn't seem right to have a command which shows something that's not immediately useful to the user. I am not sure whether we should have it enabled for CLI. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285073261 From freeipa-github-notification at redhat.com Wed Mar 8 15:44:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 16:44:03 +0100 Subject: [Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-553.patch Type: text/x-diff Size: 6619 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 15:44:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 16:44:25 +0100 Subject: [Freeipa-devel] [freeipa PR#556][opened] Don't allow standalone KRA uninstalls Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: opened PR body: """ KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-556.patch Type: text/x-diff Size: 5767 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 15:44:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 16:44:41 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server stlaz commented: """ Split done. """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285077007 From freeipa-github-notification at redhat.com Wed Mar 8 15:46:13 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Mar 2017 16:46:13 +0100 Subject: [Freeipa-devel] [freeipa PR#555][synchronized] ipa-managed-entries: use server-mode API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Author: martbab Title: #555: ipa-managed-entries: use server-mode API Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/555/head:pr555 git checkout pr555 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-555.patch Type: text/x-diff Size: 1936 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 15:47:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Mar 2017 16:47:39 +0100 Subject: [Freeipa-devel] [freeipa PR#555][+ack] ipa-managed-entries: use server-mode API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Title: #555: ipa-managed-entries: use server-mode API Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 15:53:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Mar 2017 16:53:37 +0100 Subject: [Freeipa-devel] [freeipa PR#544][synchronized] Don't use weak ciphers for client HTTPS connections In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Author: stlaz Title: #544: Don't use weak ciphers for client HTTPS connections Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/544/head:pr544 git checkout pr544 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-544.patch Type: text/x-diff Size: 1492 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 8 16:11:12 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 08 Mar 2017 17:11:12 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ We can disable it for CLI, that's not a problem. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285085254 From freeipa-github-notification at redhat.com Wed Mar 8 16:39:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 17:39:39 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server MartinBasti commented: """ JFTR: KRA uninstall commit is here #556 """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285093976 From freeipa-github-notification at redhat.com Wed Mar 8 17:38:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 18:38:14 +0100 Subject: [Freeipa-devel] [freeipa PR#544][+ack] Don't use weak ciphers for client HTTPS connections In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Title: #544: Don't use weak ciphers for client HTTPS connections Label: +ack From freeipa-github-notification at redhat.com Wed Mar 8 17:55:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Mar 2017 18:55:34 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server MartinBasti commented: """ Probably you we should fix this before we double number of alerts https://pagure.io/freeipa/issue/6598 """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285116330 From freeipa-github-notification at redhat.com Thu Mar 9 05:55:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 06:55:07 +0100 Subject: [Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors HonzaCholasta commented: """ Seems like an overkill for the ~2 types of errors which the code uses. Anyway, I would rather wait before making any kind of decision based on cert-request code until after it is refactored to be less insane (https://pagure.io/freeipa/issue/6531). """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-285261846 From freeipa-github-notification at redhat.com Thu Mar 9 06:36:24 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Mar 2017 07:36:24 +0100 Subject: [Freeipa-devel] [freeipa PR#539][closed] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Author: frasertweedale Title: #539: Define errors_by_code in ipalib.errors Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/539/head:pr539 git checkout pr539 From freeipa-github-notification at redhat.com Thu Mar 9 06:36:25 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Mar 2017 07:36:25 +0100 Subject: [Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ Righto. I'll withdraw this PR for now and it will make a comeback closer to landing the gssapi work. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-285268049 From freeipa-github-notification at redhat.com Thu Mar 9 06:42:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 07:42:12 +0100 Subject: [Freeipa-devel] [freeipa PR#557][opened] certmap: load certificate from file in certmap-match CLI Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Author: HonzaCholasta Title: #557: certmap: load certificate from file in certmap-match CLI Action: opened PR body: """ Load the certificate from a file specified in the first argument. Raw certificate value can be specified using --certificate. https://pagure.io/freeipa/issue/6646 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/557/head:pr557 git checkout pr557 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-557.patch Type: text/x-diff Size: 2355 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 06:42:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 07:42:20 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card HonzaCholasta commented: """ I forgot to say that in the CLI, the certificate should be specified using a file. PR #557 implements this. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-285268909 From freeipa-github-notification at redhat.com Thu Mar 9 08:56:28 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 09:56:28 +0100 Subject: [Freeipa-devel] [freeipa PR#558][opened] ipapython: fix DEFAULT_PLUGINS in version.py Message-ID: URL: https://github.com/freeipa/freeipa/pull/558 Author: HonzaCholasta Title: #558: ipapython: fix DEFAULT_PLUGINS in version.py Action: opened PR body: """ Replace the placeholder with the actual value during build. This fixes the client incorrectly assuming that the default version of all plugins is 1. https://pagure.io/freeipa/issue/6597 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/558/head:pr558 git checkout pr558 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-558.patch Type: text/x-diff Size: 1783 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 09:01:33 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 10:01:33 +0100 Subject: [Freeipa-devel] [freeipa PR#559][opened] WebUI: Certificate login Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: opened PR body: """ https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 10400 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 09:26:19 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:26:19 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls tomaskrizek commented: """ You should also remove: ``` ipaplatform/base/paths.py:313: IPASERVER_KRA_UNINSTALL_LOG ipatests/test_integration/tasks.py:71: host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG) ipatests/test_integration/tasks.py:73: host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG) ipatests/test_integration/test_vault.py:145: def test_create_and_retrieve_vault_after_kra_uninstall_on_replica ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285299507 From freeipa-github-notification at redhat.com Thu Mar 9 09:29:08 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:29:08 +0100 Subject: [Freeipa-devel] [freeipa PR#544][+pushed] Don't use weak ciphers for client HTTPS connections In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Title: #544: Don't use weak ciphers for client HTTPS connections Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 09:29:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:29:13 +0100 Subject: [Freeipa-devel] [freeipa PR#544][comment] Don't use weak ciphers for client HTTPS connections In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Title: #544: Don't use weak ciphers for client HTTPS connections tomaskrizek commented: """ master: * fda22c33441d3b2c541a272e411ac1503a20fb01 Don't use weak ciphers for client HTTPS connections """ See the full comment at https://github.com/freeipa/freeipa/pull/544#issuecomment-285300169 From freeipa-github-notification at redhat.com Thu Mar 9 09:29:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:29:14 +0100 Subject: [Freeipa-devel] [freeipa PR#544][closed] Don't use weak ciphers for client HTTPS connections In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/544 Author: stlaz Title: #544: Don't use weak ciphers for client HTTPS connections Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/544/head:pr544 git checkout pr544 From freeipa-github-notification at redhat.com Thu Mar 9 09:32:53 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:32:53 +0100 Subject: [Freeipa-devel] [freeipa PR#555][+pushed] ipa-managed-entries: use server-mode API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Title: #555: ipa-managed-entries: use server-mode API Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 09:32:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:32:55 +0100 Subject: [Freeipa-devel] [freeipa PR#555][comment] ipa-managed-entries: use server-mode API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Title: #555: ipa-managed-entries: use server-mode API tomaskrizek commented: """ master: * 715367506b11549aae69f913594ebc6d9c4d3e76 ipa-managed-entries: use server-mode API * 5cb98496aa2e1e190219cf2f4a6208a38fa368d5 ipa-managed-entries: only permit running the command on IPA master """ See the full comment at https://github.com/freeipa/freeipa/pull/555#issuecomment-285301086 From freeipa-github-notification at redhat.com Thu Mar 9 09:32:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 10:32:56 +0100 Subject: [Freeipa-devel] [freeipa PR#555][closed] ipa-managed-entries: use server-mode API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/555 Author: martbab Title: #555: ipa-managed-entries: use server-mode API Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/555/head:pr555 git checkout pr555 From freeipa-github-notification at redhat.com Thu Mar 9 10:00:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 09 Mar 2017 11:00:22 +0100 Subject: [Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI flo-renaud commented: """ Hi @HonzaCholasta thank you for this patch. There is a minor issue when --certificate is specified multiple times: ``` ipa certmap-match --certificate $CERT1 --certificate $CERT2 ipa: ERROR: invalid 'certificate': must be binary data ``` Otherwise, it works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-285307713 From freeipa-github-notification at redhat.com Thu Mar 9 10:00:40 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 11:00:40 +0100 Subject: [Freeipa-devel] [freeipa PR#535][synchronized] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-535.patch Type: text/x-diff Size: 8696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 10:08:14 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 11:08:14 +0100 Subject: [Freeipa-devel] [freeipa PR#535][synchronized] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-535.patch Type: text/x-diff Size: 8327 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 10:12:14 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 11:12:14 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285310604 From freeipa-github-notification at redhat.com Thu Mar 9 10:47:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 11:47:10 +0100 Subject: [Freeipa-devel] [freeipa PR#556][synchronized] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-556.patch Type: text/x-diff Size: 8781 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 11:06:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 12:06:05 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls stlaz commented: """ Should be fixed now, had to add `sys.exit()` call not to show traceback ? """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285322583 From freeipa-github-notification at redhat.com Thu Mar 9 11:10:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 12:10:12 +0100 Subject: [Freeipa-devel] [freeipa PR#556][synchronized] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-556.patch Type: text/x-diff Size: 9453 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 11:19:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 12:19:51 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12056 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 11:39:47 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 09 Mar 2017 12:39:47 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login dkupka commented: """ @pvomacka NACK, see lint errors in travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-285329218 From freeipa-github-notification at redhat.com Thu Mar 9 11:52:35 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 09 Mar 2017 12:52:35 +0100 Subject: [Freeipa-devel] [freeipa PR#560][opened] rpcserver: x509_login: Handle unsuccessful certificate login gracefully Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Author: dkupka Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Action: opened PR body: """ When mod_lookup_identity is unable to match user by certificate (and username) it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos ticket and doesn't set KRB5CCNAME environment variable. x509_login.__call__ now returns 401 in such case to indicate that request was not authenticated. https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/560/head:pr560 git checkout pr560 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-560.patch Type: text/x-diff Size: 1387 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 11:53:05 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 12:53:05 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12064 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 12:15:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 13:15:16 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command stlaz commented: """ @abbra Thank you for the changes, the patch seems fine now. I tested the user/service/host scenarios and it worked fine. I couldn't test idviews since trusts are broken now but I assume it should work fine as well. If you could only apply the following patch https://transfer.sh/IA7Ic/0001-improve-one-more-dict.patch which improves the last `dict()` behavior then I'll bless this patch :) We may want to add some tests later so I will propose to leave the ticket open. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285336020 From freeipa-github-notification at redhat.com Thu Mar 9 12:26:09 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 13:26:09 +0100 Subject: [Freeipa-devel] [freeipa PR#535][synchronized] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-535.patch Type: text/x-diff Size: 8243 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 12:33:20 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 13:33:20 +0100 Subject: [Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-546.patch Type: text/x-diff Size: 10668 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 12:34:43 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 13:34:43 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok I decide to do away with the whole class stuff, given we never really keep a round the class object for more than one operation at a time in actual use. As @rcritten requested I also added a test, and I am glad it was asked as I found a failure case we need to handle (see the exception handling in remove_data() """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285339682 From freeipa-github-notification at redhat.com Thu Mar 9 12:34:52 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 13:34:52 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12064 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 12:38:54 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 13:38:54 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Done. I've also updated the design page to reflect the changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285340468 From freeipa-github-notification at redhat.com Thu Mar 9 12:41:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 13:41:24 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls MartinBasti commented: """ `ScriptError` didn't work? """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285341002 From freeipa-github-notification at redhat.com Thu Mar 9 12:54:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 13:54:48 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option MartinBasti commented: """ ``` ************* Module ipapython.session_storage ipapython/session_storage.py:187: [W1624(indexing-exception), remove_data] Indexing exceptions will not work on Python 3) ************* Module ipalib.rpc ipalib/rpc.py:114: [E1120(no-value-for-parameter), read_persistent_client_session_data] No value for argument 'value' in function call) ************* Module ipatests.test_ipapython.test_session_storage ipatests/test_ipapython/test_session_storage.py:39: [W0612(unused-variable), test_session_storage.test_03] Unused variable 'e') ipatests/test_ipapython/test_session_storage.py:9: [W0611(unused-import), ] Unused raises imported from nose.tools) ipatests/test_ipapython/test_session_storage.py:12: [W0611(unused-import), ] Unused import pytest) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285343721 From freeipa-github-notification at redhat.com Thu Mar 9 12:59:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 13:59:20 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command stlaz commented: """ Thank you, ACK. Please don't close the ticket, we still need tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285344724 From freeipa-github-notification at redhat.com Thu Mar 9 12:59:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 13:59:27 +0100 Subject: [Freeipa-devel] [freeipa PR#535][+ack] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 12:59:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 13:59:51 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls stlaz commented: """ @MartinBasti unfortunately not. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285344820 From freeipa-github-notification at redhat.com Thu Mar 9 13:03:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:03:17 +0100 Subject: [Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/476#issuecomment-285345504 From freeipa-github-notification at redhat.com Thu Mar 9 13:09:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 14:09:07 +0100 Subject: [Freeipa-devel] [freeipa PR#556][synchronized] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-556.patch Type: text/x-diff Size: 9453 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:10:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:10:31 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command MartinBasti commented: """ master: * 381c1c7a8fe63526d21cb65decb75fb5ffda676a add whoami command """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285347082 From freeipa-github-notification at redhat.com Thu Mar 9 13:10:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:10:33 +0100 Subject: [Freeipa-devel] [freeipa PR#535][+pushed] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 13:10:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:10:34 +0100 Subject: [Freeipa-devel] [freeipa PR#535][closed] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 From freeipa-github-notification at redhat.com Thu Mar 9 13:12:41 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 14:12:41 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12070 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:13:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:13:10 +0100 Subject: [Freeipa-devel] [freeipa PR#535][comment] add whoami command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command MartinBasti commented: """ Tests: https://pagure.io/freeipa/issue/6745 """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285347687 From freeipa-github-notification at redhat.com Thu Mar 9 13:18:11 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 09 Mar 2017 14:18:11 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login pvomacka commented: """ @pvoborni thank you for review. Fixed all proposed changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-285348733 From freeipa-github-notification at redhat.com Thu Mar 9 13:27:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 14:27:39 +0100 Subject: [Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI HonzaCholasta commented: """ @flo-renaud, looks like you have found an issue in the framework, but it is unrelated to this PR. It can be reproduced in other commands as well, e.g.: ``` $ ipa user-mod jcholast --uid a --uid b ipa: ERROR: invalid 'uid': must be an integer ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-285350770 From freeipa-github-notification at redhat.com Thu Mar 9 13:29:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 14:29:26 +0100 Subject: [Freeipa-devel] [freeipa PR#556][+ack] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 13:30:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 14:30:06 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 14431 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:33:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:33:03 +0100 Subject: [Freeipa-devel] [freeipa PR#556][-ack] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls Label: -ack From freeipa-github-notification at redhat.com Thu Mar 9 13:33:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:33:25 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls MartinBasti commented: """ Waiting for more opinions about removing KRA --uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285352065 From freeipa-github-notification at redhat.com Thu Mar 9 13:41:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 14:41:46 +0100 Subject: [Freeipa-devel] [freeipa PR#545][+ack] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 13:43:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 14:43:56 +0100 Subject: [Freeipa-devel] [freeipa PR#561][opened] ldap2: fix crash in development mode Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: opened PR body: """ Do not set or delete attributes directly on the ldap2 instance, as that raises an AttributeError in development mode because of ReadOnly locking. Use the usual workaround of object.__setattr__ and .__delattr__ to fix the issue. https://pagure.io/freeipa/issue/6625 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 3532 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:44:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 14:44:41 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 3542 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:44:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Mar 2017 14:44:54 +0100 Subject: [Freeipa-devel] [freeipa PR#561][edited] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: edited Changed field: body Original value: """ Do not set or delete attributes directly on the ldap2 instance, as that raises an AttributeError in development mode because of ReadOnly locking. Use the usual workaround of object.__setattr__ and .__delattr__ to fix the issue. https://pagure.io/freeipa/issue/6625 """ From freeipa-github-notification at redhat.com Thu Mar 9 13:46:38 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 14:46:38 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls pvoborni commented: """ OK, so this pr remove `--uninstall` from `ipa-kra-install`. Did it work in the past? Or it always broke the installation? AFAIK this workflow was not really tested. If answers are "No, Yes, Yes" then I'm OK with the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285354949 From freeipa-github-notification at redhat.com Thu Mar 9 13:46:53 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 14:46:53 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls pvoborni commented: """ OK, so this pr remove `--uninstall` from `ipa-kra-install`. Did it work in the past? Or it always broke the installation? AFAIK this workflow was not really tested. If answers are "No, Yes, Yes" then I'm OK with the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285354949 From freeipa-github-notification at redhat.com Thu Mar 9 13:52:48 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 14:52:48 +0100 Subject: [Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-546.patch Type: text/x-diff Size: 10593 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 13:52:50 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 14:52:50 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Oops sorry, forgot to run make pylint on my last iteration, should be all fixed now """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285356420 From freeipa-github-notification at redhat.com Thu Mar 9 15:30:16 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:30:16 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode tomaskrizek commented: """ Seems to work all right, but the locking issue still affects other parts of the code. For example, `ipa cert-show` in development mode fails with: ``` AttributeError: locked: cannot set ra_lightweight_ca.cookie ``` I'm not sure if that's in the ticket's scope or not. """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-285383760 From freeipa-github-notification at redhat.com Thu Mar 9 15:49:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:49:12 +0100 Subject: [Freeipa-devel] [freeipa PR#562][opened] [ipa-4-4] server install: require IPv6 stack to be enabled Message-ID: URL: https://github.com/freeipa/freeipa/pull/562 Author: tomaskrizek Title: #562: [ipa-4-4] server install: require IPv6 stack to be enabled Action: opened PR body: """ Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/562/head:pr562 git checkout pr562 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-562.patch Type: text/x-diff Size: 4105 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 15:50:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 16:50:40 +0100 Subject: [Freeipa-devel] [freeipa PR#562][+ack] [ipa-4-4] server install: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/562 Title: #562: [ipa-4-4] server install: require IPv6 stack to be enabled Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 15:51:35 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:51:35 +0100 Subject: [Freeipa-devel] [freeipa PR#545][+pushed] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 15:51:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:51:36 +0100 Subject: [Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled tomaskrizek commented: """ master: * ecb450308d0a49afffb31dda1e405ad40552e70e server install: require IPv6 stack to be enabled """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecomment-285390484 From freeipa-github-notification at redhat.com Thu Mar 9 15:51:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:51:37 +0100 Subject: [Freeipa-devel] [freeipa PR#545][closed] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Author: tomaskrizek Title: #545: install_check: require IPv6 stack to be enabled Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/545/head:pr545 git checkout pr545 From freeipa-github-notification at redhat.com Thu Mar 9 15:52:29 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:52:29 +0100 Subject: [Freeipa-devel] [freeipa PR#562][comment] [ipa-4-4] server install: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/562 Title: #562: [ipa-4-4] server install: require IPv6 stack to be enabled tomaskrizek commented: """ ipa-4-4: * a572e61cb5153df8a040757eaba0c47531f0fe85 server install: require IPv6 stack to be enabled """ See the full comment at https://github.com/freeipa/freeipa/pull/562#issuecomment-285390825 From freeipa-github-notification at redhat.com Thu Mar 9 15:52:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:52:31 +0100 Subject: [Freeipa-devel] [freeipa PR#562][+pushed] [ipa-4-4] server install: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/562 Title: #562: [ipa-4-4] server install: require IPv6 stack to be enabled Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 15:52:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:52:32 +0100 Subject: [Freeipa-devel] [freeipa PR#562][closed] [ipa-4-4] server install: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/562 Author: tomaskrizek Title: #562: [ipa-4-4] server install: require IPv6 stack to be enabled Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/562/head:pr562 git checkout pr562 From freeipa-github-notification at redhat.com Thu Mar 9 15:53:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Mar 2017 16:53:24 +0100 Subject: [Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled tomaskrizek commented: """ I had to rebase for `ipa-4-4`: #562 """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecomment-285391132 From freeipa-github-notification at redhat.com Thu Mar 9 16:00:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 17:00:28 +0100 Subject: [Freeipa-devel] [freeipa PR#558][+ack] ipapython: fix DEFAULT_PLUGINS in version.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/558 Title: #558: ipapython: fix DEFAULT_PLUGINS in version.py Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 16:27:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 17:27:13 +0100 Subject: [Freeipa-devel] [freeipa PR#563][opened] backup: backup anonymous keytab Message-ID: URL: https://github.com/freeipa/freeipa/pull/563 Author: MartinBasti Title: #563: backup: backup anonymous keytab Action: opened PR body: """ Freeipa stops working without anon keytab https://pagure.io/freeipa/issue/5959 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/563/head:pr563 git checkout pr563 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-563.patch Type: text/x-diff Size: 729 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 16:47:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 17:47:30 +0100 Subject: [Freeipa-devel] [freeipa PR#546][+ack] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 17:02:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 18:02:07 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 MartinBasti commented: """ I see gssproxy 0.7 in koji, can we update this an test rather early by putting it into freeipa-master repo? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285413071 From freeipa-github-notification at redhat.com Thu Mar 9 17:19:01 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:19:01 +0100 Subject: [Freeipa-devel] [freeipa PR#564][opened] Reconfigure Kerberos library config as the last step of KDC install Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Author: martbab Title: #564: Reconfigure Kerberos library config as the last step of KDC install Action: opened PR body: """ During KDC installation, we overwrite the existing `/etc/krb5.conf` file from client version to use only local KDC for client requests. However, this means that services such as certmonger may try to kinit against local KDC before it is up and running, resulting in subtle but serious bugs. The file should be updated only when KDC is set up properly and running. https://pagure.io/freeipa/issue/6739 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/564/head:pr564 git checkout pr564 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-564.patch Type: text/x-diff Size: 2281 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 17:20:52 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 18:20:52 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install abbra commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285418391 From freeipa-github-notification at redhat.com Thu Mar 9 17:21:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:21:21 +0100 Subject: [Freeipa-devel] [freeipa PR#564][synchronized] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Author: martbab Title: #564: Reconfigure Kerberos library config as the last step of KDC install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/564/head:pr564 git checkout pr564 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-564.patch Type: text/x-diff Size: 2095 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 17:21:48 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:21:48 +0100 Subject: [Freeipa-devel] [freeipa PR#563][+ack] backup: backup anonymous keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/563 Title: #563: backup: backup anonymous keytab Label: +ack From freeipa-github-notification at redhat.com Thu Mar 9 17:22:55 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:22:55 +0100 Subject: [Freeipa-devel] [freeipa PR#563][comment] backup: backup anonymous keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/563 Title: #563: backup: backup anonymous keytab martbab commented: """ master: * 8fb61a55fe32438752567bde8af73d6b8230a386 backup: backup anonymous keytab """ See the full comment at https://github.com/freeipa/freeipa/pull/563#issuecomment-285418939 From freeipa-github-notification at redhat.com Thu Mar 9 17:22:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:22:58 +0100 Subject: [Freeipa-devel] [freeipa PR#563][+pushed] backup: backup anonymous keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/563 Title: #563: backup: backup anonymous keytab Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 17:22:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:22:59 +0100 Subject: [Freeipa-devel] [freeipa PR#563][closed] backup: backup anonymous keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/563 Author: MartinBasti Title: #563: backup: backup anonymous keytab Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/563/head:pr563 git checkout pr563 From freeipa-github-notification at redhat.com Thu Mar 9 17:33:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Mar 2017 18:33:39 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ +1 """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285422303 From freeipa-github-notification at redhat.com Thu Mar 9 17:34:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 18:34:33 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ I do not think this is the correct fix/bug What we want to do is to change kdc.conf to require certs only after we have installed them. The KDC is already properly configured and running otherwise but fails to start on replica because certs are not there. We need it to not fail, not to allow certmonger to go oevr the network to other servers """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285422563 From freeipa-github-notification at redhat.com Thu Mar 9 17:40:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 18:40:17 +0100 Subject: [Freeipa-devel] [freeipa PR#558][+pushed] ipapython: fix DEFAULT_PLUGINS in version.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/558 Title: #558: ipapython: fix DEFAULT_PLUGINS in version.py Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 9 17:40:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 18:40:18 +0100 Subject: [Freeipa-devel] [freeipa PR#558][comment] ipapython: fix DEFAULT_PLUGINS in version.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/558 Title: #558: ipapython: fix DEFAULT_PLUGINS in version.py MartinBasti commented: """ master: * abf25d3cb6570e6ae7cd094ea6a5f4a1bd75d8a7 ipapython: fix DEFAULT_PLUGINS in version.py """ See the full comment at https://github.com/freeipa/freeipa/pull/558#issuecomment-285424137 From freeipa-github-notification at redhat.com Thu Mar 9 17:40:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Mar 2017 18:40:19 +0100 Subject: [Freeipa-devel] [freeipa PR#558][closed] ipapython: fix DEFAULT_PLUGINS in version.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/558 Author: HonzaCholasta Title: #558: ipapython: fix DEFAULT_PLUGINS in version.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/558/head:pr558 git checkout pr558 From freeipa-github-notification at redhat.com Thu Mar 9 17:42:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Mar 2017 18:42:16 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install martbab commented: """ But the certs are requested by certmonger on replica which tries to kinit against *the very same KDC that is being configured and is not running yet* because it was told so by the Kerberos config that was updated before starting KDC. """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285424665 From freeipa-github-notification at redhat.com Thu Mar 9 17:49:29 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 09 Mar 2017 18:49:29 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install abbra commented: """ @simo5 KDC starts just fine with missing certs. It disables PKINIT if certs aren't reachable. However, if KDC is not running at all, certmonger cannot complete the cert request at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285426600 From freeipa-github-notification at redhat.com Thu Mar 9 18:48:29 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 19:48:29 +0100 Subject: [Freeipa-devel] [freeipa PR#565][opened] permissions: add permissions for reading and modifying external group members Message-ID: URL: https://github.com/freeipa/freeipa/pull/565 Author: pvoborni Title: #565: permissions: add permissions for reading and modifying external group members Action: opened PR body: """ Issue: "User Administrator" role cannot add users to an External Group. https://fedorahosted.org/freeipa/ticket/5504 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/565/head:pr565 git checkout pr565 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-565.patch Type: text/x-diff Size: 1770 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 19:11:53 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 20:11:53 +0100 Subject: [Freeipa-devel] [freeipa PR#566][opened] webui: do not warn about CAs if there is only one master Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Author: pvoborni Title: #566: webui: do not warn about CAs if there is only one master Action: opened PR body: """ Web UI showed pop-up dialog which recommends to install additional CA in topology section when only 1 CA existed even if there was only one master. Though behind the pop-up is to prevent situation, where multiple replicas are installed but neither with --setup-ca option and thus risking to loose CA when original master is lost. The warning was displayed also if only one IPA server exists. It is unnecessary to annoy admin only about CA because the entire IPA is not duplicated. Therefore the pop-up is now shown only one IPA server exists. https://pagure.io/freeipa/issue/6598 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/566/head:pr566 git checkout pr566 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-566.patch Type: text/x-diff Size: 1434 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 19:12:15 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 20:12:15 +0100 Subject: [Freeipa-devel] [freeipa PR#566][comment] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Title: #566: webui: do not warn about CAs if there is only one master pvoborni commented: """ Written in a way that it can be then easily extended with KRA check. """ See the full comment at https://github.com/freeipa/freeipa/pull/566#issuecomment-285449877 From freeipa-github-notification at redhat.com Thu Mar 9 19:14:55 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 20:14:55 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server pvoborni commented: """ Fix for 6598 in #566 """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285450624 From freeipa-github-notification at redhat.com Thu Mar 9 20:20:58 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 09 Mar 2017 21:20:58 +0100 Subject: [Freeipa-devel] [freeipa PR#565][synchronized] permissions: add permissions for reading and modifying external group members In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/565 Author: pvoborni Title: #565: permissions: add permissions for reading and modifying external group members Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/565/head:pr565 git checkout pr565 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-565.patch Type: text/x-diff Size: 3911 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 21:45:55 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 22:45:55 +0100 Subject: [Freeipa-devel] [freeipa PR#567][opened] Configure KDC to use certs after they are deployed Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: opened PR body: """ Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-567.patch Type: text/x-diff Size: 4301 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 9 21:46:38 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 22:46:38 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Still testing but this should be the way to go to fix the bug reported in #564 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285493679 From freeipa-github-notification at redhat.com Thu Mar 9 21:47:46 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 22:47:46 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ @martbab @abbra see the pull request in #567 """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285493983 From freeipa-github-notification at redhat.com Thu Mar 9 22:43:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Mar 2017 23:43:10 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 simo5 commented: """ Can you prepare patch for spec file that requires gssproxy >= 0.7.0 and mod_auth_gssapi >= 1.5.0 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285507599 From freeipa-github-notification at redhat.com Fri Mar 10 05:30:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 06:30:23 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 5171 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 05:31:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 06:31:20 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode HonzaCholasta commented: """ Let's see what Travis detects. """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-285582277 From freeipa-github-notification at redhat.com Fri Mar 10 05:32:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 06:32:16 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 HonzaCholasta commented: """ FYI built both in the freeipa-master COPR. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285582369 From freeipa-github-notification at redhat.com Fri Mar 10 06:16:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 07:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 5171 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 07:03:25 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 08:03:25 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode HonzaCholasta commented: """ Travis didn't detect anything else, so I think we are good to go. Shall we keep the `.test_runner_config.yaml` change? (@martbab?) """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-285594083 From freeipa-github-notification at redhat.com Fri Mar 10 07:20:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 08:20:54 +0100 Subject: [Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install martbab commented: """ Ah right this won't work because on master there would be no library configuration for KDC deployment (realm, etc) that's why server install in travis crashed. Closing this PR as #567 superseds it. """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285596698 From freeipa-github-notification at redhat.com Fri Mar 10 07:20:55 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 08:20:55 +0100 Subject: [Freeipa-devel] [freeipa PR#564][closed] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Author: martbab Title: #564: Reconfigure Kerberos library config as the last step of KDC install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/564/head:pr564 git checkout pr564 From freeipa-github-notification at redhat.com Fri Mar 10 07:21:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 08:21:02 +0100 Subject: [Freeipa-devel] [freeipa PR#564][+rejected] Reconfigure Kerberos library config as the last step of KDC install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install Label: +rejected From abokovoy at redhat.com Fri Mar 10 07:32:55 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Mar 2017 09:32:55 +0200 Subject: [Freeipa-devel] Samba 4.6.0-2.fc26 is available for trust tests Message-ID: <20170310073255.3l4ofsjj2xdceth2@redhat.com> Hi, I've submitted Samba 4.6.0-2 to FC26 and rawhide. This build contains fixes that allow FreeIPA implement trust functionality under gssproxy privilege separation. You need gssproxy 0.7.0 or later. Please test and add karma to https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5e572f32b There is no build for Fedora 25. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 10 07:36:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 08:36:41 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ I think we can avoid the copy-pasta by actually moving PKINIT requesting code into `__common_post_setup` like this: ```diff --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -142,10 +142,15 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) + if self.setup_pkinit: + self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base + self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -160,10 +165,6 @@ class KrbInstance(service.Service): self.__common_post_setup() - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() @@ -178,14 +179,12 @@ class KrbInstance(service.Service): self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn + self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() ``` Yes we have now duplicated member assignment but still better that duplicate logic. Also I have some inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285599143 From freeipa-github-notification at redhat.com Fri Mar 10 07:48:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 08:48:45 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ I think we can avoid the copy-pasta by actually moving PKINIT requesting code into `__common_post_setup` like this: ```diff --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -142,10 +142,15 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) + if self.setup_pkinit: + self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base + self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -160,10 +165,6 @@ class KrbInstance(service.Service): self.__common_post_setup() - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() @@ -178,14 +179,12 @@ class KrbInstance(service.Service): self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn + self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() ``` Yes we have now duplicated member assignment but still better that duplicate logic. Also I have some inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285599143 From freeipa-github-notification at redhat.com Fri Mar 10 08:12:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:12:58 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker martbab commented: """ @MartinBasti any progress in reviewing this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-285605217 From freeipa-github-notification at redhat.com Fri Mar 10 08:16:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:16:52 +0100 Subject: [Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy martbab commented: """ test_kadmin and all other tests also passed. I do not see reason for not pushing. Sorry for the dealy in reviewing. """ See the full comment at https://github.com/freeipa/freeipa/pull/353#issuecomment-285605908 From freeipa-github-notification at redhat.com Fri Mar 10 08:16:53 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:16:53 +0100 Subject: [Freeipa-devel] [freeipa PR#353][+ack] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy Label: +ack From freeipa-github-notification at redhat.com Fri Mar 10 08:17:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 09:17:36 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ @martbab, I haven't incorporated @MartinBasti's suggestions in yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-285606048 From freeipa-github-notification at redhat.com Fri Mar 10 08:17:44 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:17:44 +0100 Subject: [Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy martbab commented: """ test_kadmin and all other tests also passed. I do not see reason for not pushing. Sorry for the dealy in reviewing. """ See the full comment at https://github.com/freeipa/freeipa/pull/353#issuecomment-285605908 From freeipa-github-notification at redhat.com Fri Mar 10 08:17:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:17:59 +0100 Subject: [Freeipa-devel] [freeipa PR#353][+pushed] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 10 08:18:00 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:18:00 +0100 Subject: [Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy martbab commented: """ master: * 9f13b330aaec468a018472dce5fc77131277de94 Add code to retrieve results from multiple bases * 2e5cc369fd8b9d780697a9a286429cc2ca0f448a Add support for searching policies in cn=accounts """ See the full comment at https://github.com/freeipa/freeipa/pull/353#issuecomment-285606111 From freeipa-github-notification at redhat.com Fri Mar 10 08:18:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:18:02 +0100 Subject: [Freeipa-devel] [freeipa PR#353][closed] [RFE] Pwdpolicy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Author: simo5 Title: #353: [RFE] Pwdpolicy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/353/head:pr353 git checkout pr353 From freeipa-github-notification at redhat.com Fri Mar 10 08:23:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:23:45 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode martbab commented: """ Yes but please split it into a separate patch so that CI-related changes are tracked separately and do not pollute the changes in the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-285607215 From freeipa-github-notification at redhat.com Fri Mar 10 08:28:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:28:52 +0100 Subject: [Freeipa-devel] [freeipa PR#414][comment] SPEC: Update SELinux file context of ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/414 Title: #414: SPEC: Update SELinux file context of ipa-otpd martbab commented: """ @lslebodn CI complains that your changes produce an invalid specfile. Can you please fix this. A better question, is there a demand to have this workaround in the spec file? """ See the full comment at https://github.com/freeipa/freeipa/pull/414#issuecomment-285608179 From freeipa-github-notification at redhat.com Fri Mar 10 08:30:44 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 09:30:44 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization martbab commented: """ @stlaz @HonzaCholasta any progress on this PR or should we mark it as postponed and return to it later? """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-285608522 From sbose at redhat.com Fri Mar 10 09:12:21 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 10 Mar 2017 10:12:21 +0100 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication Message-ID: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> Hi, with the recent addition of PKINIT support there is now a second method available to Smartcard authentication besides local authentication. I was about to add some sssd.conf option which can control the fallback to local authentication if PKINIT fails. Currently there is only a fallback to local authentication if the backend is offline or if PKINIT is not available because either the client or the server side do not support it. It came to my mind that it might be more flexible to add the fallback scheme to the certificate matching rules discussed earlier on this list. With this it would be possible e.g. to require PKINIT for a set of certificates and allow local authentication to a different set. Do you think this would make sense or is it sufficient an option in sssd.conf which covers all certificates? bye, Sumit From freeipa-github-notification at redhat.com Fri Mar 10 09:23:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 10:23:59 +0100 Subject: [Freeipa-devel] [freeipa PR#266][+postponed] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization Label: +postponed From freeipa-github-notification at redhat.com Fri Mar 10 09:31:32 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 10 Mar 2017 10:31:32 +0100 Subject: [Freeipa-devel] [freeipa PR#414][comment] SPEC: Update SELinux file context of ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/414 Title: #414: SPEC: Update SELinux file context of ipa-otpd lslebodn commented: """ On (10/03/17 00:28), Martin Babinsky wrote: >@lslebodn CI complains that your changes produce an invalid specfile. Can you please fix this. A better question, is there a demand to have this workaround in the spec file? > It could be fixed; but there are more SELinux bugs now. So it does not worth IMHO. Feel free to close. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/414#issuecomment-285621154 From pvoborni at redhat.com Fri Mar 10 09:34:27 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Mar 2017 10:34:27 +0100 Subject: [Freeipa-devel] Samba 4.6.0-2.fc26 is available for trust tests In-Reply-To: <20170310073255.3l4ofsjj2xdceth2@redhat.com> References: <20170310073255.3l4ofsjj2xdceth2@redhat.com> Message-ID: <86a3cda7-b31a-7a34-e23d-42dd0d3dc7d8@redhat.com> On 03/10/2017 08:32 AM, Alexander Bokovoy wrote: > Hi, > > I've submitted Samba 4.6.0-2 to FC26 and rawhide. This build contains > fixes that allow FreeIPA implement trust functionality under gssproxy > privilege separation. You need gssproxy 0.7.0 or later. > > Please test and add karma to > https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5e572f32b > > There is no build for Fedora 25. > f25 build was added to @freeipa/freeipa-master COPR repo -- Petr Vobornik From freeipa-github-notification at redhat.com Fri Mar 10 09:34:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 10:34:37 +0100 Subject: [Freeipa-devel] [freeipa PR#568][opened] cert: include certificate chain in cert command output Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Author: HonzaCholasta Title: #568: cert: include certificate chain in cert command output Action: opened PR body: """ **cert: add output file option to cert-request** The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. **cert: include certificate chain in cert command output** Include the full certificate chain in the output of cert-request, cert-show and cert-find if --chain or --all is specified. If output file is specified in the CLI together with --chain, the full certificate chain is written to the file. https://pagure.io/freeipa/issue/6547 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/568/head:pr568 git checkout pr568 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-568.patch Type: text/x-diff Size: 12252 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 09:35:06 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 10:35:06 +0100 Subject: [Freeipa-devel] [freeipa PR#414][+rejected] SPEC: Update SELinux file context of ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/414 Title: #414: SPEC: Update SELinux file context of ipa-otpd Label: +rejected From freeipa-github-notification at redhat.com Fri Mar 10 09:35:08 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 10:35:08 +0100 Subject: [Freeipa-devel] [freeipa PR#414][comment] SPEC: Update SELinux file context of ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/414 Title: #414: SPEC: Update SELinux file context of ipa-otpd martbab commented: """ I agree with closing this, we will need more substantial policy update """ See the full comment at https://github.com/freeipa/freeipa/pull/414#issuecomment-285621868 From freeipa-github-notification at redhat.com Fri Mar 10 09:35:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Mar 2017 10:35:09 +0100 Subject: [Freeipa-devel] [freeipa PR#414][closed] SPEC: Update SELinux file context of ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/414 Author: lslebodn Title: #414: SPEC: Update SELinux file context of ipa-otpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/414/head:pr414 git checkout pr414 From freeipa-github-notification at redhat.com Fri Mar 10 09:42:10 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 10 Mar 2017 10:42:10 +0100 Subject: [Freeipa-devel] [freeipa PR#566][synchronized] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Author: pvoborni Title: #566: webui: do not warn about CAs if there is only one master Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/566/head:pr566 git checkout pr566 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-566.patch Type: text/x-diff Size: 1467 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 09:44:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 10:44:23 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 5548 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 09:46:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 10:46:27 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode HonzaCholasta commented: """ Turns out unsetting mode in default.conf is not good enough, one has to explicitly set it to "development" to enable development mode, because "production" is the default. Let's see if Travis detects something this time. """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-285624395 From abokovoy at redhat.com Fri Mar 10 09:58:25 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Mar 2017 11:58:25 +0200 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication In-Reply-To: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170310095825.mgtlrd7cxoi5uybi@redhat.com> On pe, 10 maalis 2017, Sumit Bose wrote: >Hi, > >with the recent addition of PKINIT support there is now a second method >available to Smartcard authentication besides local authentication. > >I was about to add some sssd.conf option which can control the fallback >to local authentication if PKINIT fails. Currently there is only a >fallback to local authentication if the backend is offline or if PKINIT >is not available because either the client or the server side do not >support it. > >It came to my mind that it might be more flexible to add the fallback >scheme to the certificate matching rules discussed earlier on this list. >With this it would be possible e.g. to require PKINIT for a set of >certificates and allow local authentication to a different set. > >Do you think this would make sense or is it sufficient an option in >sssd.conf which covers all certificates? Interesting idea. If we were to define it as a part of a certificate matching rule, would we be able to deny using a matching certificate for local authentication in case only PKINIT is allowed? -- / Alexander Bokovoy From sbose at redhat.com Fri Mar 10 10:37:34 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 10 Mar 2017 11:37:34 +0100 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication In-Reply-To: <20170310095825.mgtlrd7cxoi5uybi@redhat.com> References: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310095825.mgtlrd7cxoi5uybi@redhat.com> Message-ID: <20170310103734.GL9903@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote: > On pe, 10 maalis 2017, Sumit Bose wrote: > > Hi, > > > > with the recent addition of PKINIT support there is now a second method > > available to Smartcard authentication besides local authentication. > > > > I was about to add some sssd.conf option which can control the fallback > > to local authentication if PKINIT fails. Currently there is only a > > fallback to local authentication if the backend is offline or if PKINIT > > is not available because either the client or the server side do not > > support it. > > > > It came to my mind that it might be more flexible to add the fallback > > scheme to the certificate matching rules discussed earlier on this list. > > With this it would be possible e.g. to require PKINIT for a set of > > certificates and allow local authentication to a different set. > > > > Do you think this would make sense or is it sufficient an option in > > sssd.conf which covers all certificates? > Interesting idea. If we were to define it as a part of a certificate > matching rule, would we be able to deny using a matching certificate for > local authentication in case only PKINIT is allowed? Yes, SSSD first checks in the backend if PKINIT is available and tries it. If this fails the backend can tell the frontend to try local authentication or fail. bye, Sumit > -- > / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 10 11:27:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 12:27:09 +0100 Subject: [Freeipa-devel] [freeipa PR#566][+ack] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Title: #566: webui: do not warn about CAs if there is only one master Label: +ack From freeipa-github-notification at redhat.com Fri Mar 10 11:29:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 12:29:23 +0100 Subject: [Freeipa-devel] [freeipa PR#463][synchronized] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-463.patch Type: text/x-diff Size: 14700 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 11:30:10 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 12:30:10 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ I have now incorporated the suggestions. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-285646604 From freeipa-github-notification at redhat.com Fri Mar 10 11:31:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:31:49 +0100 Subject: [Freeipa-devel] [freeipa PR#565][comment] permissions: add permissions for reading and modifying external group members In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/565 Title: #565: permissions: add permissions for reading and modifying external group members MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/565#issuecomment-285646883 From freeipa-github-notification at redhat.com Fri Mar 10 11:33:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 12:33:28 +0100 Subject: [Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-553.patch Type: text/x-diff Size: 5879 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 11:34:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 12:34:38 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server stlaz commented: """ Reworked how the beg for a service replication worked. """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285647389 From freeipa-github-notification at redhat.com Fri Mar 10 11:36:17 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 10 Mar 2017 12:36:17 +0100 Subject: [Freeipa-devel] [freeipa PR#511][synchronized] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.6.2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/511/head:pr511 git checkout pr511 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-511.patch Type: text/x-diff Size: 788 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 11:38:27 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 10 Mar 2017 12:38:27 +0100 Subject: [Freeipa-devel] [freeipa PR#511][synchronized] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.6.2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/511/head:pr511 git checkout pr511 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-511.patch Type: text/x-diff Size: 808 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 11:39:30 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 10 Mar 2017 12:39:30 +0100 Subject: [Freeipa-devel] [freeipa PR#511][edited] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.7.0 Action: edited Changed field: title Original value: """ Bump required version of gssproxy to 0.6.2 """ From abokovoy at redhat.com Fri Mar 10 11:39:27 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Mar 2017 13:39:27 +0200 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication In-Reply-To: <20170310103734.GL9903@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310095825.mgtlrd7cxoi5uybi@redhat.com> <20170310103734.GL9903@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170310113927.snoeyepbpmyc3buo@redhat.com> On pe, 10 maalis 2017, Sumit Bose wrote: >On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote: >> On pe, 10 maalis 2017, Sumit Bose wrote: >> > Hi, >> > >> > with the recent addition of PKINIT support there is now a second method >> > available to Smartcard authentication besides local authentication. >> > >> > I was about to add some sssd.conf option which can control the fallback >> > to local authentication if PKINIT fails. Currently there is only a >> > fallback to local authentication if the backend is offline or if PKINIT >> > is not available because either the client or the server side do not >> > support it. >> > >> > It came to my mind that it might be more flexible to add the fallback >> > scheme to the certificate matching rules discussed earlier on this list. >> > With this it would be possible e.g. to require PKINIT for a set of >> > certificates and allow local authentication to a different set. >> > >> > Do you think this would make sense or is it sufficient an option in >> > sssd.conf which covers all certificates? >> Interesting idea. If we were to define it as a part of a certificate >> matching rule, would we be able to deny using a matching certificate for >> local authentication in case only PKINIT is allowed? > >Yes, SSSD first checks in the backend if PKINIT is available and tries >it. If this fails the backend can tell the frontend to try local >authentication or fail. Ok. I'd prefer to have this possibility then -- a certificate matching rule including a flag to require PKINIT. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 10 11:40:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:40:52 +0100 Subject: [Freeipa-devel] [freeipa PR#546][+pushed] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 10 11:40:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:40:53 +0100 Subject: [Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option MartinBasti commented: """ master: * 7cab95955539b5f9596dcda5886ea3d9755fb193 Store session cookie in a ccache option """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285648539 From freeipa-github-notification at redhat.com Fri Mar 10 11:40:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:40:55 +0100 Subject: [Freeipa-devel] [freeipa PR#546][closed] Store session cookie in a ccache option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From freeipa-github-notification at redhat.com Fri Mar 10 11:41:09 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 10 Mar 2017 12:41:09 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 dkupka commented: """ @simo5 We already require mod_auth_gssapi >= 1.5.0 https://github.com/freeipa/freeipa/blob/master/freeipa.spec.in#L255 """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285648584 From freeipa-github-notification at redhat.com Fri Mar 10 11:48:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:48:34 +0100 Subject: [Freeipa-devel] [freeipa PR#566][+pushed] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Title: #566: webui: do not warn about CAs if there is only one master Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 10 11:48:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:48:35 +0100 Subject: [Freeipa-devel] [freeipa PR#566][closed] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Author: pvoborni Title: #566: webui: do not warn about CAs if there is only one master Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/566/head:pr566 git checkout pr566 From freeipa-github-notification at redhat.com Fri Mar 10 11:48:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 12:48:37 +0100 Subject: [Freeipa-devel] [freeipa PR#566][comment] webui: do not warn about CAs if there is only one master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/566 Title: #566: webui: do not warn about CAs if there is only one master MartinBasti commented: """ master: * 6027a8111fa9ed7a058fb222f4f96b12039deb8b webui: do not warn about CAs if there is only one master """ See the full comment at https://github.com/freeipa/freeipa/pull/566#issuecomment-285649889 From freeipa-github-notification at redhat.com Fri Mar 10 11:51:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 12:51:16 +0100 Subject: [Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-553.patch Type: text/x-diff Size: 5892 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:01:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 13:01:27 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 5546 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:04:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:04:42 +0100 Subject: [Freeipa-devel] [freeipa PR#463][+ack] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker Label: +ack From freeipa-github-notification at redhat.com Fri Mar 10 12:05:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:05:32 +0100 Subject: [Freeipa-devel] [freeipa PR#463][closed] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 From freeipa-github-notification at redhat.com Fri Mar 10 12:05:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:05:33 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ master: * 5d489ac5604ca959cfe439c0594b8739073f3cea pylint_plugins: add forbidden import checker """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-285652873 From freeipa-github-notification at redhat.com Fri Mar 10 12:05:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:05:34 +0100 Subject: [Freeipa-devel] [freeipa PR#463][+pushed] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker Label: +pushed From sbose at redhat.com Fri Mar 10 12:08:02 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 10 Mar 2017 13:08:02 +0100 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication In-Reply-To: <20170310113927.snoeyepbpmyc3buo@redhat.com> References: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310095825.mgtlrd7cxoi5uybi@redhat.com> <20170310103734.GL9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310113927.snoeyepbpmyc3buo@redhat.com> Message-ID: <20170310120802.GM9903@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote: > On pe, 10 maalis 2017, Sumit Bose wrote: > > On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote: > > > On pe, 10 maalis 2017, Sumit Bose wrote: > > > > Hi, > > > > > > > > with the recent addition of PKINIT support there is now a second method > > > > available to Smartcard authentication besides local authentication. > > > > > > > > I was about to add some sssd.conf option which can control the fallback > > > > to local authentication if PKINIT fails. Currently there is only a > > > > fallback to local authentication if the backend is offline or if PKINIT > > > > is not available because either the client or the server side do not > > > > support it. > > > > > > > > It came to my mind that it might be more flexible to add the fallback > > > > scheme to the certificate matching rules discussed earlier on this list. > > > > With this it would be possible e.g. to require PKINIT for a set of > > > > certificates and allow local authentication to a different set. > > > > > > > > Do you think this would make sense or is it sufficient an option in > > > > sssd.conf which covers all certificates? > > > Interesting idea. If we were to define it as a part of a certificate > > > matching rule, would we be able to deny using a matching certificate for > > > local authentication in case only PKINIT is allowed? > > > > Yes, SSSD first checks in the backend if PKINIT is available and tries > > it. If this fails the backend can tell the frontend to try local > > authentication or fail. > Ok. I'd prefer to have this possibility then -- a certificate matching > rule including a flag to require PKINIT. I think it should be a bit more than a single flag. - PKINIT and newer fall back to local authentication - PKINIT and fall back to local authentication when offline or PKINIT is not available - PKINIT and fall back in all errors - no PKINIT only local authentication. bye, Sumit > > -- > / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 10 12:20:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 13:20:27 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 stlaz commented: """ Is this in RHEL already? If not, it will break upstream-downstreamish tests ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285655609 From abokovoy at redhat.com Fri Mar 10 12:25:22 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Mar 2017 14:25:22 +0200 Subject: [Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication In-Reply-To: <20170310120802.GM9903@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170310091221.GK9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310095825.mgtlrd7cxoi5uybi@redhat.com> <20170310103734.GL9903@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170310113927.snoeyepbpmyc3buo@redhat.com> <20170310120802.GM9903@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170310122522.3bjjz5jwbajf7qb7@redhat.com> On pe, 10 maalis 2017, Sumit Bose wrote: >On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote: >> On pe, 10 maalis 2017, Sumit Bose wrote: >> > On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote: >> > > On pe, 10 maalis 2017, Sumit Bose wrote: >> > > > Hi, >> > > > >> > > > with the recent addition of PKINIT support there is now a second method >> > > > available to Smartcard authentication besides local authentication. >> > > > >> > > > I was about to add some sssd.conf option which can control the fallback >> > > > to local authentication if PKINIT fails. Currently there is only a >> > > > fallback to local authentication if the backend is offline or if PKINIT >> > > > is not available because either the client or the server side do not >> > > > support it. >> > > > >> > > > It came to my mind that it might be more flexible to add the fallback >> > > > scheme to the certificate matching rules discussed earlier on this list. >> > > > With this it would be possible e.g. to require PKINIT for a set of >> > > > certificates and allow local authentication to a different set. >> > > > >> > > > Do you think this would make sense or is it sufficient an option in >> > > > sssd.conf which covers all certificates? >> > > Interesting idea. If we were to define it as a part of a certificate >> > > matching rule, would we be able to deny using a matching certificate for >> > > local authentication in case only PKINIT is allowed? >> > >> > Yes, SSSD first checks in the backend if PKINIT is available and tries >> > it. If this fails the backend can tell the frontend to try local >> > authentication or fail. >> Ok. I'd prefer to have this possibility then -- a certificate matching >> rule including a flag to require PKINIT. > >I think it should be a bit more than a single flag. > >- PKINIT and newer fall back to local authentication s/newer/never/, I'd guess? >- PKINIT and fall back to local authentication when offline or PKINIT is > not available >- PKINIT and fall back in all errors >- no PKINIT only local authentication. Otherwise looks good. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 10 12:25:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:25:59 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 MartinBasti commented: """ We need to have our upstream-upstream tests green first, then we can care about upstream-downstream """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285656646 From freeipa-github-notification at redhat.com Fri Mar 10 12:26:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:26:47 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 MartinBasti commented: """ and gssproxy 0.7 is not in RHEL yet """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285656814 From freeipa-github-notification at redhat.com Fri Mar 10 12:36:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:36:51 +0100 Subject: [Freeipa-devel] [freeipa PR#569][opened] Remove copy-schema-to-ca.py from master branch Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: opened PR body: """ This script is used only for IPA <3.3, so it must be compatible with ipa-3-3 branch, so it should be placed there https://pagure.io/freeipa/issue/6540 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 6664 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:46:08 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 10 Mar 2017 13:46:08 +0100 Subject: [Freeipa-devel] [freeipa PR#567][synchronized] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-567.patch Type: text/x-diff Size: 5118 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:46:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 10 Mar 2017 13:46:21 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Should have addressed all concerns in this push """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285660566 From tkrizek at redhat.com Fri Mar 10 12:55:29 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 10 Mar 2017 13:55:29 +0100 Subject: [Freeipa-devel] bind-dyndb-ldap git migration issue [resolved] Message-ID: Hi all, if you noticed some odd notification about new commits to old bind-dyndb-ldap branches, please ignore them. Today, I managed to accidentally remove all old branches in bind-dyndb-ldap repo. When I pushed some new code to master, the automatic syncing pagure -> github script deleted all the old branches. This was most likely caused by missing branches in the upstram pagure repo that I forgot to push when I migrated. Luckily, I was able to recover all the branches from my local repo, including the dangling commits. Everything should be in order now. Sorry for the notification mess. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:57:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:57:31 +0100 Subject: [Freeipa-devel] [freeipa PR#569][synchronized] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 6664 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 12:58:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 13:58:10 +0100 Subject: [Freeipa-devel] [freeipa PR#569][edited] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: edited Changed field: body Original value: """ This script is used only for IPA <3.3, so it must be compatible with ipa-3-3 branch, so it should be placed there https://pagure.io/freeipa/issue/6540 """ From freeipa-github-notification at redhat.com Fri Mar 10 13:12:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 14:12:38 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 stlaz commented: """ Meh, I'll be damned to eternity then ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285665738 From freeipa-github-notification at redhat.com Fri Mar 10 13:12:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 14:12:42 +0100 Subject: [Freeipa-devel] [freeipa PR#511][+ack] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 Label: +ack From freeipa-github-notification at redhat.com Fri Mar 10 13:18:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 14:18:01 +0100 Subject: [Freeipa-devel] [freeipa PR#511][+pushed] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 10 13:18:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 14:18:02 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.7.0 MartinBasti commented: """ master: * c37254e1b124c95d6ea874f6513979ca165fb31d Bump required version of gssproxy to 0.7.0 """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285666734 From freeipa-github-notification at redhat.com Fri Mar 10 13:18:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 14:18:04 +0100 Subject: [Freeipa-devel] [freeipa PR#511][closed] Bump required version of gssproxy to 0.7.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.7.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/511/head:pr511 git checkout pr511 From freeipa-github-notification at redhat.com Fri Mar 10 13:35:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 14:35:33 +0100 Subject: [Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates stlaz commented: """ Please fix the little issue and we will push this. """ See the full comment at https://github.com/freeipa/freeipa/pull/529#issuecomment-285670167 From freeipa-github-notification at redhat.com Fri Mar 10 13:47:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 10 Mar 2017 14:47:06 +0100 Subject: [Freeipa-devel] [freeipa PR#529][synchronized] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Author: tomaskrizek Title: #529: installer: update time estimates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/529/head:pr529 git checkout pr529 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-529.patch Type: text/x-diff Size: 6095 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:08:48 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Mar 2017 15:08:48 +0100 Subject: [Freeipa-devel] [freeipa PR#561][synchronized] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-561.patch Type: text/x-diff Size: 6223 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:26:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:26:15 +0100 Subject: [Freeipa-devel] [freeipa PR#569][synchronized] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 11199 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:28:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:28:33 +0100 Subject: [Freeipa-devel] [freeipa PR#569][comment] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Title: #569: Remove copy-schema-to-ca.py from master branch MartinBasti commented: """ The script doesn't work under ipa-3-0, but it works for RHEL6, so I just put it to contrib/ and marked as RHEL6 """ See the full comment at https://github.com/freeipa/freeipa/pull/569#issuecomment-285682217 From freeipa-github-notification at redhat.com Fri Mar 10 14:29:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:29:47 +0100 Subject: [Freeipa-devel] [freeipa PR#569][synchronized] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 11199 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:30:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 15:30:43 +0100 Subject: [Freeipa-devel] [freeipa PR#529][+ack] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates Label: +ack From freeipa-github-notification at redhat.com Fri Mar 10 14:31:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:31:20 +0100 Subject: [Freeipa-devel] [freeipa PR#569][synchronized] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 11229 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:33:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 15:33:28 +0100 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode stlaz commented: """ I have a WIP patch but since sometimes it's not clear which credentials are used, I am marking this as postponed so that we can wait until the client module can be called properly. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-285683404 From freeipa-github-notification at redhat.com Fri Mar 10 14:33:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Mar 2017 15:33:34 +0100 Subject: [Freeipa-devel] [freeipa PR#117][+postponed] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode Label: +postponed From freeipa-github-notification at redhat.com Fri Mar 10 14:34:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:34:37 +0100 Subject: [Freeipa-devel] [freeipa PR#569][synchronized] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-569.patch Type: text/x-diff Size: 11229 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:47:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:47:04 +0100 Subject: [Freeipa-devel] [freeipa PR#529][+pushed] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 10 14:47:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:47:06 +0100 Subject: [Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Title: #529: installer: update time estimates MartinBasti commented: """ master: * 09c6b7578046fed0824fc0f0d9040be69c0f0eb6 installer: update time estimates """ See the full comment at https://github.com/freeipa/freeipa/pull/529#issuecomment-285686947 From freeipa-github-notification at redhat.com Fri Mar 10 14:47:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:47:07 +0100 Subject: [Freeipa-devel] [freeipa PR#529][closed] installer: update time estimates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/529 Author: tomaskrizek Title: #529: installer: update time estimates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/529/head:pr529 git checkout pr529 From freeipa-github-notification at redhat.com Fri Mar 10 14:51:17 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 10 Mar 2017 15:51:17 +0100 Subject: [Freeipa-devel] [freeipa PR#570][opened] ipaserver/dcerpc.py: use arcfour_encrypt from samba Message-ID: URL: https://github.com/freeipa/freeipa/pull/570 Author: abbra Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba Action: opened PR body: """ Samba Python bindings provide samba.arcfour_encrypt(key, data). Instead of implementing own wrapper, use Samba's. In future Samba versions this wrapper will be FIPS 140-2 compatible. Fixes https://pagure.io/freeipa/issue/6697 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/570/head:pr570 git checkout pr570 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-570.patch Type: text/x-diff Size: 1666 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 14:59:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 15:59:08 +0100 Subject: [Freeipa-devel] [freeipa PR#571][opened] pylint: bump dependency to version >= 1.6 Message-ID: URL: https://github.com/freeipa/freeipa/pull/571 Author: MartinBasti Title: #571: pylint: bump dependency to version >= 1.6 Action: opened PR body: """ Older pylint versions produces false positive errors """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/571/head:pr571 git checkout pr571 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-571.patch Type: text/x-diff Size: 1298 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 10 15:09:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 16:09:30 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching MartinBasti commented: """ Bump """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-285692796 From tkrizek at redhat.com Fri Mar 10 16:13:09 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 10 Mar 2017 17:13:09 +0100 Subject: [Freeipa-devel] Announcing bind-dyndb-ldap 11.1 Message-ID: The FreeIPA team is proud to announce bind-dyndb-ldap version 11.1. It can be downloaded fromhttps://releases.pagure.org/bind-dyndb-ldap/ The new version has also been built for Fedora 26+: https://bodhi.fedoraproject.org/updates/FEDORA-2017-56aa9caed6 Latest news: 11.1 ==== [1] Prevent crash when server is shutting down and LDAP connection is down. https://pagure.io/bind-dyndb-ldap/issue/149 == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. == Known Issues == There are the following issues in Fedora 26+: - 1404409: Using GSSAPI authentication for 389-ds results in an error, simple bind is not affected. == Pagure migration == The bind-dyndb-ldap has been migrated from fedorahosted to https://pagure.io/bind-dyndb-ldap/ The wiki pages are currently not available and will be migrated in the upcoming weeks. == Feedback == Please provide comments, report bugs, and send any other feedback via the freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Mar 10 17:17:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Mar 2017 18:17:45 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features MartinBasti commented: """ ipa-server-install failed ``` Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service... Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service. Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing. Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-285728731 From freeipa-github-notification at redhat.com Sun Mar 12 19:37:11 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Sun, 12 Mar 2017 20:37:11 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12055 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Mar 12 21:54:20 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Sun, 12 Mar 2017 22:54:20 +0100 Subject: [Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-139.patch Type: text/x-diff Size: 89544 bytes Desc: not available URL: From mharmsen at redhat.com Mon Mar 13 05:39:18 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sun, 12 Mar 2017 23:39:18 -0600 Subject: [Freeipa-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1 Message-ID: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> *The following updated candidate builds of ldapjdk 4.19 and tomcatjss 7.2.0 were generated:* * *Fedora 25:* o *ldapjdk-4.19-1.fc25 * o *tomcatjss-7.2.0-1.fc25 * * *Fedora 26:* o *ldapjdk-4.19-1.fc26 * o *tomcatjss-7.2.0-1.fc26 * * *Fedora 27:* o *ldapjdk-4.19-1.fc27 * o *tomcatjss-7.2.0-1.fc27 * *These builds address the following Bugs and Pagure Issues:* * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no host:port * * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19 * * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+ * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15 ldapjdk-4.19-1.fc25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7 tomcatjss-7.2.0-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981 ldapjdk-4.19-1.fc26 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632 tomcatjss-7.2.0-1.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Mon Mar 13 06:08:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 07:08:13 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode HonzaCholasta commented: """ OK everything is green now. """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-286022821 From freeipa-github-notification at redhat.com Mon Mar 13 07:30:14 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:30:14 +0100 Subject: [Freeipa-devel] [freeipa PR#550][synchronized] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Author: HonzaCholasta Title: #550: install: fix help Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/550/head:pr550 git checkout pr550 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-550.patch Type: text/x-diff Size: 42091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 07:31:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:31:51 +0100 Subject: [Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI HonzaCholasta commented: """ @flo-renaud, is there anything else or is the PR good to push? """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-286033581 From freeipa-github-notification at redhat.com Mon Mar 13 07:50:29 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Mar 2017 08:50:29 +0100 Subject: [Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI flo-renaud commented: """ @HonzaCholasta Sorry, I forgot to ACK. You can push the PR. For the record, Issue [6746](https://pagure.io/freeipa/issue/6746) has been opened for the framework issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-286036301 From freeipa-github-notification at redhat.com Mon Mar 13 07:50:39 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Mar 2017 08:50:39 +0100 Subject: [Freeipa-devel] [freeipa PR#557][+ack] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 07:57:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:57:04 +0100 Subject: [Freeipa-devel] [freeipa PR#550][synchronized] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Author: HonzaCholasta Title: #550: install: fix help Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/550/head:pr550 git checkout pr550 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-550.patch Type: text/x-diff Size: 42166 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 07:58:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:58:21 +0100 Subject: [Freeipa-devel] [freeipa PR#557][+pushed] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 07:58:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:58:22 +0100 Subject: [Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Title: #557: certmap: load certificate from file in certmap-match CLI HonzaCholasta commented: """ master: * 0298ecf441ba38858d7909b8c3b4cc2b4c4e53c4 certmap: load certificate from file in certmap-match CLI """ See the full comment at https://github.com/freeipa/freeipa/pull/557#issuecomment-286037607 From freeipa-github-notification at redhat.com Mon Mar 13 07:58:24 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 08:58:24 +0100 Subject: [Freeipa-devel] [freeipa PR#557][closed] certmap: load certificate from file in certmap-match CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/557 Author: HonzaCholasta Title: #557: certmap: load certificate from file in certmap-match CLI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/557/head:pr557 git checkout pr557 From freeipa-github-notification at redhat.com Mon Mar 13 09:11:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 10:11:45 +0100 Subject: [Freeipa-devel] [freeipa PR#550][comment] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Title: #550: install: fix help stlaz commented: """ Works like a charm, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/550#issuecomment-286051511 From freeipa-github-notification at redhat.com Mon Mar 13 09:11:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 10:11:56 +0100 Subject: [Freeipa-devel] [freeipa PR#550][+ack] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Title: #550: install: fix help Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 09:13:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 10:13:13 +0100 Subject: [Freeipa-devel] [freeipa PR#550][+pushed] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Title: #550: install: fix help Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 09:13:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 10:13:15 +0100 Subject: [Freeipa-devel] [freeipa PR#550][comment] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Title: #550: install: fix help MartinBasti commented: """ master: * 00f49dd7bbf277757902c94990d33758fec56b23 server install: remove duplicate -w option * 5efa55c88d73d9f5db77df4be9fedf03f9b323d1 install: add missing space in realm_name description * 94f362d7b0b6c838752eb2f6674149e96d3ae95b server install: remove duplicate knob definitions * 1cfe06c79eb0b98a0f4bd663165156596b59e85f client install: split off SSSD options into a separate class * 774d8d0a5dc0ac175ab0cecc76001632c2a79744 install CLI: remove magic option groups * 2fc9feddd02bb17c3a9eb7efde83277fcf93252c install: re-introduce option groups """ See the full comment at https://github.com/freeipa/freeipa/pull/550#issuecomment-286051845 From freeipa-github-notification at redhat.com Mon Mar 13 09:13:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 10:13:16 +0100 Subject: [Freeipa-devel] [freeipa PR#550][closed] install: fix help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/550 Author: HonzaCholasta Title: #550: install: fix help Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/550/head:pr550 git checkout pr550 From freeipa-github-notification at redhat.com Mon Mar 13 09:25:34 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 10:25:34 +0100 Subject: [Freeipa-devel] [freeipa PR#572][opened] rpc: fix crash in verbose mode Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Author: HonzaCholasta Title: #572: rpc: fix crash in verbose mode Action: opened PR body: """ Fix a crash caused by feeding incorrect data to `json.dumps()` in `JSONServerProxy.__request()` introduced by commit 8159c2883bf66980582d1227c364df4e592bdd7e. https://pagure.io/freeipa/issue/6655 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/572/head:pr572 git checkout pr572 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-572.patch Type: text/x-diff Size: 1276 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 09:34:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 10:34:17 +0100 Subject: [Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode stlaz commented: """ Does this fix https://pagure.io/freeipa/issue/6734? """ See the full comment at https://github.com/freeipa/freeipa/pull/572#issuecomment-286056640 From freeipa-github-notification at redhat.com Mon Mar 13 09:41:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 10:41:01 +0100 Subject: [Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode HonzaCholasta commented: """ Yes. """ See the full comment at https://github.com/freeipa/freeipa/pull/572#issuecomment-286058220 From freeipa-github-notification at redhat.com Mon Mar 13 09:41:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 10:41:22 +0100 Subject: [Freeipa-devel] [freeipa PR#572][synchronized] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Author: HonzaCholasta Title: #572: rpc: fix crash in verbose mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/572/head:pr572 git checkout pr572 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-572.patch Type: text/x-diff Size: 1276 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 10:57:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 11:57:39 +0100 Subject: [Freeipa-devel] [freeipa PR#556][+ack] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 10:57:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 11:57:49 +0100 Subject: [Freeipa-devel] [freeipa PR#553][+ack] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 11:05:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 12:05:58 +0100 Subject: [Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/476#issuecomment-286077394 From freeipa-github-notification at redhat.com Mon Mar 13 11:06:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 12:06:06 +0100 Subject: [Freeipa-devel] [freeipa PR#476][+ack] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 11:11:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 12:11:06 +0100 Subject: [Freeipa-devel] [freeipa PR#561][+ack] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 11:13:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 12:13:50 +0100 Subject: [Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Author: HonzaCholasta Title: #568: cert: include certificate chain in cert command output Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/568/head:pr568 git checkout pr568 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-568.patch Type: text/x-diff Size: 12581 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 11:48:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 12:48:49 +0100 Subject: [Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Author: HonzaCholasta Title: #568: cert: include certificate chain in cert command output Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/568/head:pr568 git checkout pr568 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-568.patch Type: text/x-diff Size: 12936 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 12:13:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 13:13:47 +0100 Subject: [Freeipa-devel] [freeipa PR#573][opened] Provide centralized management of user short name resolution Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: opened PR body: """ This PR implement an initial version of AD user short name resolution infrastructure consumable by SSSD.[1] Most of the stuff described in the design page[2] is in-place except of hooks that would refresh the domain resolution orders after trust domain removal or disablement. I would like to do them in a separate PR. Also some edge cases like specifying only separator (':') or an empty domain ('dom1::dom2') have no special treatment, the current code will just complain about empty DNS labels. Should I improve this behavior? [1] https://pagure.io/freeipa/issue/6372 [2] https://www.freeipa.org/page/V4/AD_User_Short_Names """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-573.patch Type: text/x-diff Size: 25895 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 12:26:20 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 13:26:20 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#10][opened] spec: fix sed error and re-sync with fedora Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10 Author: tomaskrizek Title: #10: spec: fix sed error and re-sync with fedora Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-10.patch Type: text/x-diff Size: 3996 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 12:31:06 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 13:31:06 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#10][synchronized] spec: fix sed error and re-sync with fedora In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10 Author: tomaskrizek Title: #10: spec: fix sed error and re-sync with fedora Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-10.patch Type: text/x-diff Size: 4338 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 12:33:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 13:33:09 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution MartinBasti commented: """ ACIs? AFAIK SSSD should be able to read this """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286094363 From freeipa-github-notification at redhat.com Mon Mar 13 12:39:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 13 Mar 2017 13:39:38 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution HonzaCholasta commented: """ I would rather avoid the refactoring in 4.5 - this is fragile code you are touching and I'm afraid it might break in some cases (think different client / server version combinations, thin client vs fat client, etc.). As for the edge case values, IMO we should allow `:` without complaining as a special case to support "no domains in the list" configuration, and otherwise require known domain names (like in `certmaprule-add`). """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286095738 From freeipa-github-notification at redhat.com Mon Mar 13 12:44:13 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 13:44:13 +0100 Subject: [Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-573.patch Type: text/x-diff Size: 26817 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 12:44:48 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 13:44:48 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution martbab commented: """ Updated PR, added ACIs and fixed Py2/Py3 compatibility of doctests. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286096789 From freeipa-github-notification at redhat.com Mon Mar 13 12:50:24 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 13 Mar 2017 13:50:24 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution abbra commented: """ I don't see ACI.txt regenerated. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286097962 From freeipa-github-notification at redhat.com Mon Mar 13 13:45:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 14:45:35 +0100 Subject: [Freeipa-devel] [freeipa PR#574][opened] ipa-replica-prepare fix Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Author: stlaz Title: #574: ipa-replica-prepare fix Action: opened PR body: """ A regression was introduced in https://github.com/freeipa/freeipa/commit/0a54fac02cecad3b9e3bf8ad0c8a44df3b701857. Fix + don't fail if either file was not created during server-cert creation. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/574/head:pr574 git checkout pr574 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-574.patch Type: text/x-diff Size: 2317 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 13:46:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 14:46:48 +0100 Subject: [Freeipa-devel] [freeipa PR#574][synchronized] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Author: stlaz Title: #574: ipa-replica-prepare fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/574/head:pr574 git checkout pr574 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-574.patch Type: text/x-diff Size: 2321 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 14:25:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 15:25:48 +0100 Subject: [Freeipa-devel] [freeipa PR#574][synchronized] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Author: stlaz Title: #574: ipa-replica-prepare fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/574/head:pr574 git checkout pr574 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-574.patch Type: text/x-diff Size: 2319 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 14:34:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 15:34:01 +0100 Subject: [Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode stlaz commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/572#issuecomment-286125002 From freeipa-github-notification at redhat.com Mon Mar 13 14:34:06 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 15:34:06 +0100 Subject: [Freeipa-devel] [freeipa PR#572][+ack] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 14:42:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 15:42:58 +0100 Subject: [Freeipa-devel] [freeipa PR#571][+ack] pylint: bump dependency to version >= 1.6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/571 Title: #571: pylint: bump dependency to version >= 1.6 Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 14:45:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 15:45:53 +0100 Subject: [Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode MartinBasti commented: """ master: * 8295848bfec6f96410ab8383107fdaf565f02974 rpc: fix crash in verbose mode """ See the full comment at https://github.com/freeipa/freeipa/pull/572#issuecomment-286128713 From freeipa-github-notification at redhat.com Mon Mar 13 14:46:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 15:46:00 +0100 Subject: [Freeipa-devel] [freeipa PR#572][+pushed] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Title: #572: rpc: fix crash in verbose mode Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 14:46:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 15:46:07 +0100 Subject: [Freeipa-devel] [freeipa PR#572][closed] rpc: fix crash in verbose mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/572 Author: HonzaCholasta Title: #572: rpc: fix crash in verbose mode Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/572/head:pr572 git checkout pr572 From freeipa-github-notification at redhat.com Mon Mar 13 14:50:04 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 13 Mar 2017 15:50:04 +0100 Subject: [Freeipa-devel] [freeipa PR#575][opened] IPA certauth plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: opened PR body: """ This patch add a certauth plugin which allows the IPA server to support PKINIT for certificates which do not include a special SAN extension which contains a Kerberos principal but allow other mappings with the help of SSSD's certmap library. Related to https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-575.patch Type: text/x-diff Size: 26121 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 15:02:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:02:42 +0100 Subject: [Freeipa-devel] [freeipa PR#476][+pushed] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 15:02:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:02:43 +0100 Subject: [Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Title: #476: vault: cache the transport certificate on client MartinBasti commented: """ master: * 98bb5397c535e5e1a6c5ade9f0fb918be1d282c3 vault: cache the transport certificate on client """ See the full comment at https://github.com/freeipa/freeipa/pull/476#issuecomment-286134100 From freeipa-github-notification at redhat.com Mon Mar 13 15:02:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:02:45 +0100 Subject: [Freeipa-devel] [freeipa PR#476][closed] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 From freeipa-github-notification at redhat.com Mon Mar 13 15:05:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:05:54 +0100 Subject: [Freeipa-devel] [freeipa PR#571][+pushed] pylint: bump dependency to version >= 1.6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/571 Title: #571: pylint: bump dependency to version >= 1.6 Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 15:05:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:05:56 +0100 Subject: [Freeipa-devel] [freeipa PR#571][comment] pylint: bump dependency to version >= 1.6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/571 Title: #571: pylint: bump dependency to version >= 1.6 MartinBasti commented: """ master: * 4514ec150586fb43fa66566cce8a69b3ac15b86c pylint: bump dependency to version >= 1.6 """ See the full comment at https://github.com/freeipa/freeipa/pull/571#issuecomment-286135137 From freeipa-github-notification at redhat.com Mon Mar 13 15:05:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:05:57 +0100 Subject: [Freeipa-devel] [freeipa PR#571][closed] pylint: bump dependency to version >= 1.6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/571 Author: MartinBasti Title: #571: pylint: bump dependency to version >= 1.6 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/571/head:pr571 git checkout pr571 From freeipa-github-notification at redhat.com Mon Mar 13 15:07:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:07:06 +0100 Subject: [Freeipa-devel] [freeipa PR#561][+pushed] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 15:07:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:07:07 +0100 Subject: [Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Title: #561: ldap2: fix crash in development mode MartinBasti commented: """ master: * 8fdd7a9ffc263c1198afa5479cda41d319f11d91 backend plugins: fix crashes in development mode * fe4489ede2b40902fb7d734d04a1f997c6df86fb Travis CI: run tests in development mode """ See the full comment at https://github.com/freeipa/freeipa/pull/561#issuecomment-286135528 From freeipa-github-notification at redhat.com Mon Mar 13 15:07:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:07:09 +0100 Subject: [Freeipa-devel] [freeipa PR#561][closed] ldap2: fix crash in development mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/561 Author: HonzaCholasta Title: #561: ldap2: fix crash in development mode Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/561/head:pr561 git checkout pr561 From freeipa-github-notification at redhat.com Mon Mar 13 15:11:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:11:09 +0100 Subject: [Freeipa-devel] [freeipa PR#553][+pushed] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 15:11:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server MartinBasti commented: """ master: * 670f8fb1db109ec2c9ab7e5d2189325988220b23 Add check to prevent removal of last KRA * 1e8db4b5c7a55dac0008ad9b9bf5802ba30e8c2a Add message about last KRA to WebUI Topology view """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-286136808 From freeipa-github-notification at redhat.com Mon Mar 13 15:11:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:11:12 +0100 Subject: [Freeipa-devel] [freeipa PR#553][closed] Add check for removing last KRA server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553 From freeipa-github-notification at redhat.com Mon Mar 13 15:12:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:12:02 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-286137069 From freeipa-github-notification at redhat.com Mon Mar 13 15:12:31 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 13 Mar 2017 16:12:31 +0100 Subject: [Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin sumit-bose commented: """ This patch depends on https://github.com/SSSD/sssd/pull/192 (SSSD's certmap library) and https://github.com/krb5/krb5/pull/610 (MIT Kerberos certauth plugin support) """ See the full comment at https://github.com/freeipa/freeipa/pull/575#issuecomment-286137210 From freeipa-github-notification at redhat.com Mon Mar 13 15:20:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 16:20:22 +0100 Subject: [Freeipa-devel] [freeipa PR#556][synchronized] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-556.patch Type: text/x-diff Size: 9452 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 15:20:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 16:20:38 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls stlaz commented: """ Rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-286139764 From freeipa-github-notification at redhat.com Mon Mar 13 15:27:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:27:49 +0100 Subject: [Freeipa-devel] [freeipa PR#556][+pushed] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 15:27:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:27:50 +0100 Subject: [Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls MartinBasti commented: """ master: * 5d3a0e6758866239c886e998a6d89c5a4b150184 Don't allow standalone KRA uninstalls """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-286142058 From freeipa-github-notification at redhat.com Mon Mar 13 15:27:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 16:27:52 +0100 Subject: [Freeipa-devel] [freeipa PR#556][closed] Don't allow standalone KRA uninstalls In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556 From freeipa-github-notification at redhat.com Mon Mar 13 16:01:40 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Mar 2017 17:01:40 +0100 Subject: [Freeipa-devel] [freeipa PR#576][opened] Installation must publish CA cert in /usr/share/ipa/html/ca.crt Message-ID: URL: https://github.com/freeipa/freeipa/pull/576 Author: flo-renaud Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt Action: opened PR body: """ Regression introduced with commit d124e30. ipa-server-install and ipa-replica-install must publish the CA cert in /usr/share/ipa/html/ca.crt, otherwise the web page http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing. https://pagure.io/freeipa/issue/6750 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/576/head:pr576 git checkout pr576 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-576.patch Type: text/x-diff Size: 1969 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 16:27:03 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 17:27:03 +0100 Subject: [Freeipa-devel] [freeipa PR#570][+ack] ipaserver/dcerpc.py: use arcfour_encrypt from samba In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/570 Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 16:28:07 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 17:28:07 +0100 Subject: [Freeipa-devel] [freeipa PR#570][comment] ipaserver/dcerpc.py: use arcfour_encrypt from samba In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/570 Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba martbab commented: """ master: * 7657754e02a5fa62265327937a6c7fd19b381610 ipaserver/dcerpc.py: use arcfour_encrypt from samba """ See the full comment at https://github.com/freeipa/freeipa/pull/570#issuecomment-286161752 From freeipa-github-notification at redhat.com Mon Mar 13 16:28:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 13 Mar 2017 17:28:09 +0100 Subject: [Freeipa-devel] [freeipa PR#570][+pushed] ipaserver/dcerpc.py: use arcfour_encrypt from samba In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/570 Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 16:43:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 17:43:37 +0100 Subject: [Freeipa-devel] [freeipa PR#576][+ack] Installation must publish CA cert in /usr/share/ipa/html/ca.crt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/576 Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 16:48:41 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 13 Mar 2017 17:48:41 +0100 Subject: [Freeipa-devel] [freeipa PR#577][opened] WebUI: Add support for AD users short name resolution Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: opened PR body: """ https://pagure.io/freeipa/issue/6372 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-577.patch Type: text/x-diff Size: 2355 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 16:50:35 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 17:50:35 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#10][+ack] spec: fix sed error and re-sync with fedora In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10 Title: #10: spec: fix sed error and re-sync with fedora Label: +ack From freeipa-github-notification at redhat.com Mon Mar 13 16:51:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 17:51:07 +0100 Subject: [Freeipa-devel] [freeipa PR#565][+ack] permissions: add permissions for reading and modifying external group members In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/565 Title: #565: permissions: add permissions for reading and modifying external group members Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 16:57:12 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 17:57:12 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#10][comment] spec: fix sed error and re-sync with fedora In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10 Title: #10: spec: fix sed error and re-sync with fedora tomaskrizek commented: """ master: - d74bba1f332b419a19e5656e5bba51c61dcb656f: spec: re-sync spec file with Fedora - 84b5558906d4735d4c2ab7494ac6c3e1d6f40c5e: spec: fix regex in postinstall sed script """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/10#issuecomment-286171090 From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 16:57:16 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 17:57:16 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#10][+pushed] spec: fix sed error and re-sync with fedora In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10 Title: #10: spec: fix sed error and re-sync with fedora Label: +pushed From bind-dyndb-ldap-github-notification at redhat.com Mon Mar 13 16:58:54 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 17:58:54 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#4][closed] spec: Re-sync spec to Fedora In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/4 Author: sgallagher Title: #4: spec: Re-sync spec to Fedora Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/4/head:pr4 git checkout pr4 From freeipa-github-notification at redhat.com Mon Mar 13 17:00:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 18:00:34 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix MartinBasti commented: """ Can be this caused by your patch? ``` error exporting Server certificate: Command '/usr/bin/openssl pkcs12 -export -name KDC-Cert -in /tmp/tmpmS5rCkipa/realm_info/kdc.pem -out /tmp/tmpmS5rCkipa/realm_info/pkinitcert.p12 -passout file:/tmp/tmpmS5rCkipa/realm_info/pkinit_pin.txt' returned non-zero exit status 1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286172238 From freeipa-github-notification at redhat.com Mon Mar 13 17:13:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 18:13:04 +0100 Subject: [Freeipa-devel] [freeipa PR#576][+pushed] Installation must publish CA cert in /usr/share/ipa/html/ca.crt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/576 Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 13 17:18:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 18:18:56 +0100 Subject: [Freeipa-devel] [freeipa PR#565][comment] permissions: add permissions for reading and modifying external group members In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/565 Title: #565: permissions: add permissions for reading and modifying external group members MartinBasti commented: """ master: * da5487c407bee9bce41f4012d07970916b9456c1 permissions: add permissions for read and mod of external group members """ See the full comment at https://github.com/freeipa/freeipa/pull/565#issuecomment-286178153 From freeipa-github-notification at redhat.com Mon Mar 13 17:20:44 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 13 Mar 2017 18:20:44 +0100 Subject: [Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-577.patch Type: text/x-diff Size: 1839 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 17:22:11 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 13 Mar 2017 18:22:11 +0100 Subject: [Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-139.patch Type: text/x-diff Size: 89484 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 18:19:10 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 19:19:10 +0100 Subject: [Freeipa-devel] [freeipa PR#578][opened] Coverity: fix bad use of null-like value in cert.py Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Author: tomaskrizek Title: #578: Coverity: fix bad use of null-like value in cert.py Action: opened PR body: """ http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/578/head:pr578 git checkout pr578 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-578.patch Type: text/x-diff Size: 1066 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 13 18:30:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Mar 2017 19:30:56 +0100 Subject: [Freeipa-devel] [freeipa PR#578][edited] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Author: tomaskrizek Title: #578: Coverity: fix bad use of null-like value in cert.py Action: edited Changed field: body Original value: """ http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/ """ From freeipa-github-notification at redhat.com Mon Mar 13 18:40:40 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Mon, 13 Mar 2017 19:40:40 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py apophys commented: """ Please do not post links to internal Red Hat resources in public. """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286203585 From freeipa-github-notification at redhat.com Mon Mar 13 18:43:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 19:43:46 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix stlaz commented: """ Very unlikely but I'll investigate. """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286204519 From freeipa-github-notification at redhat.com Mon Mar 13 18:44:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 19:44:17 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py stlaz commented: """ Shame on you, @tomaskrizek """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286204648 From freeipa-github-notification at redhat.com Mon Mar 13 19:13:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 13 Mar 2017 20:13:29 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix stlaz commented: """ My wild guess is that it might be caused by ba3c201a but not by this patchset as it does not touch it. """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286212984 From freeipa-github-notification at redhat.com Mon Mar 13 19:26:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Mar 2017 20:26:35 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py MartinBasti commented: """ I would rather focus on why `principal_obj` is not defined there """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286216443 From mharmsen at redhat.com Mon Mar 13 23:53:51 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 13 Mar 2017 17:53:51 -0600 Subject: [Freeipa-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1 In-Reply-To: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> References: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> Message-ID: <475387df-080b-b8e6-43f7-2ff9f378815e@redhat.com> On 03/12/2017 11:39 PM, Matthew Harmsen wrote: > > *The following updated candidate builds of ldapjdk 4.19 and tomcatjss > 7.2.0 were generated:* > > * *Fedora 25:* > o *ldapjdk-4.19-1.fc25 > * > o *tomcatjss-7.2.0-1.fc25 > > * > * *Fedora 26:* > o *ldapjdk-4.19-1.fc26 > * > o *tomcatjss-7.2.0-1.fc26 > > * > * *Fedora 27:* > o *ldapjdk-4.19-1.fc27 > * > o *tomcatjss-7.2.0-1.fc27 > > * > > *These builds address the following Bugs and Pagure Issues:* > > * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no > host:port * > * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19 > * > * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora > 25+ * > > *Please provide Karma for the following builds:* > > * *Fedora 25:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15 > ldapjdk-4.19-1.fc25* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7 > tomcatjss-7.2.0-1.fc25 > > * > * *Fedora 26:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981 > ldapjdk-4.19-1.fc26 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632 > tomcatjss-7.2.0-1.fc26 > > * > A problem was discovered in which the tomcatjss.spec file was embedded inside the tomcatjss tarball; this was fixed, the tarball was republished, all packages were rebuilt, and new builds were submitted to bodhi: *The following updated candidate builds of tomcatjss 7.2.0 were regenerated:* * *Fedora 25:* o *tomcatjss-7.2.0-2.fc25 * * *Fedora 26:* o *tomcatjss-7.2.0-2.fc26 * * *Fedora 27:* o *tomcatjss-7.2.0-2.fc27 * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2fc4861133 tomcatjss-7.2.0-2.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cd38eab18 tomcatjss-7.2.0-2.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Mar 14 06:21:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 07:21:02 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py stlaz commented: """ if you look at steps 2, 4 and 13 in the Synopsis report (sorry, community!), you will see that this is a false positive. Anyone, please close this as "rejected" to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286332822 From freeipa-github-notification at redhat.com Tue Mar 14 06:21:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 07:21:22 +0100 Subject: [Freeipa-devel] [freeipa PR#579][opened] csrgen: hide cert-get-requestdata in CLI Message-ID: URL: https://github.com/freeipa/freeipa/pull/579 Author: HonzaCholasta Title: #579: csrgen: hide cert-get-requestdata in CLI Action: opened PR body: """ The CSR generation feature is supposed to be used from cert-request, hide the internal cert-get-requestdata command in the CLI. https://fedorahosted.org/freeipa/ticket/4899 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/579/head:pr579 git checkout pr579 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-579.patch Type: text/x-diff Size: 839 bytes Desc: not available URL: From mharmsen at redhat.com Tue Mar 14 07:04:48 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 14 Mar 2017 01:04:48 -0600 Subject: [Freeipa-devel] Karma Requests for jss-4.4.0-1 Message-ID: *The following updated candidate builds of jss 4.4.0 were generated:* * *Fedora 25:* o *jss-4.4.0-1.fc25 * * *Fedora 26:* o *jss-4.4.0-1.fc26 * * *Fedora 27:* o *jss-4.4.0-1.fc27 * *These builds address the following Bug:* * *Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+ * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-155b9d81d2 jss-4.4.0-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-70cf2c25eb jss-4.4.0-1.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Mar 14 07:20:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 08:20:43 +0100 Subject: [Freeipa-devel] [freeipa PR#579][+ack] csrgen: hide cert-get-requestdata in CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/579 Title: #579: csrgen: hide cert-get-requestdata in CLI Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 07:33:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 08:33:28 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix stlaz commented: """ Actually, this is most probably a privilege-separation issue since "kdc.pem" which we try to read here does not exist ever since. """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286343464 From freeipa-github-notification at redhat.com Tue Mar 14 07:41:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 08:41:32 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix stlaz commented: """ Actually, this is most probably a privilege-separation issue since "kdc.pem" which we try to read here does not exist ever since. """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286343464 From freeipa-github-notification at redhat.com Tue Mar 14 07:55:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 08:55:14 +0100 Subject: [Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-573.patch Type: text/x-diff Size: 21986 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 08:05:42 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 09:05:42 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution martbab commented: """ @HonzaCholasta I agree, I have removed the commit which introduces special param handling and resorted to simple splitting in validator. I have also regenerated ACIs in the respective commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286348952 From freeipa-github-notification at redhat.com Tue Mar 14 08:21:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Mar 2017 09:21:33 +0100 Subject: [Freeipa-devel] [freeipa PR#578][edited] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Author: tomaskrizek Title: #578: Coverity: fix bad use of null-like value in cert.py Action: edited Changed field: body Original value: """ http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/log/fixed.html#def2 """ From freeipa-github-notification at redhat.com Tue Mar 14 08:24:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 09:24:24 +0100 Subject: [Freeipa-devel] [freeipa PR#580][opened] Fix KDC certificates export on DL0 Message-ID: URL: https://github.com/freeipa/freeipa/pull/580 Author: stlaz Title: #580: Fix KDC certificates export on DL0 Action: opened PR body: """ I don't know since when this has been broken but my guess is - for a long time. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/580/head:pr580 git checkout pr580 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-580.patch Type: text/x-diff Size: 3768 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 08:24:55 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 09:24:55 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix stlaz commented: """ @MartinBasti should be fixed in https://github.com/freeipa/freeipa/pull/580 """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286352636 From freeipa-github-notification at redhat.com Tue Mar 14 08:25:46 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 09:25:46 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12857 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 08:38:23 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 09:38:23 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12882 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 08:39:07 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 09:39:07 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 actually I found multiple issues during review and concluded that setting up PKINIT on DL1 replica never worked correctly actually. Will open respective blocker tickets ASAP. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286355471 From freeipa-github-notification at redhat.com Tue Mar 14 08:40:10 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Mar 2017 09:40:10 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py tomaskrizek commented: """ Sorry about the link, I've removed it. Nevertheless, it seems that's indeed a false positive, because `principal_type` is set to `USER`, but `principal_type == KRBTGT` on [L616](https://github.com/freeipa/freeipa/pull/578/files#diff-95cc6f5739d8923e9d470c2f686038f1R616) is evaluated as true instead of `principal_type == USER` at [L624](https://github.com/freeipa/freeipa/pull/578/files#diff-95cc6f5739d8923e9d470c2f686038f1R624) which would set `principal_obj`. There is no other assignment to `principal_type` in between. Closing the PR, coverity error is a false positive. """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286355703 From freeipa-github-notification at redhat.com Tue Mar 14 08:40:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Mar 2017 09:40:11 +0100 Subject: [Freeipa-devel] [freeipa PR#578][closed] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Author: tomaskrizek Title: #578: Coverity: fix bad use of null-like value in cert.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/578/head:pr578 git checkout pr578 From freeipa-github-notification at redhat.com Tue Mar 14 08:40:15 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Mar 2017 09:40:15 +0100 Subject: [Freeipa-devel] [freeipa PR#578][+rejected] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py Label: +rejected From freeipa-github-notification at redhat.com Tue Mar 14 08:42:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 09:42:33 +0100 Subject: [Freeipa-devel] [freeipa PR#580][synchronized] Fix KDC certificates export on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/580 Author: stlaz Title: #580: Fix KDC certificates export on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/580/head:pr580 git checkout pr580 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-580.patch Type: text/x-diff Size: 3805 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 08:54:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 09:54:26 +0100 Subject: [Freeipa-devel] [freeipa PR#574][+ack] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 08:58:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 09:58:48 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py MartinBasti commented: """ But this is about `principal_obj`, I don't see it in step 2, but I see `principal_obj = None` in step 11 """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286359771 From freeipa-github-notification at redhat.com Tue Mar 14 09:02:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 10:02:49 +0100 Subject: [Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/578 Title: #578: Coverity: fix bad use of null-like value in cert.py MartinBasti commented: """ Ah I see it is really false positive """ See the full comment at https://github.com/freeipa/freeipa/pull/578#issuecomment-286360715 From freeipa-github-notification at redhat.com Tue Mar 14 09:14:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 10:14:30 +0100 Subject: [Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-559.patch Type: text/x-diff Size: 12972 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 09:30:00 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 10:30:00 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Can you figure out exactly why certmonger is doing this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286366985 From freeipa-github-notification at redhat.com Tue Mar 14 09:34:22 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Mar 2017 10:34:22 +0100 Subject: [Freeipa-devel] [freeipa PR#139][+ack] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 09:39:54 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Mar 2017 10:39:54 +0100 Subject: [Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution pvoborni commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/577#issuecomment-286369347 From freeipa-github-notification at redhat.com Tue Mar 14 09:41:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 10:41:01 +0100 Subject: [Freeipa-devel] [freeipa PR#139][+pushed] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 09:41:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 10:41:03 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management MartinBasti commented: """ master: * c3115fa617fb049ba48d356d280fdb23c312ebca Additional option to add and del operations can be set * ec63456b7c1fba6bd8d9073e63c27ef685f08c60 Allow to set another other_entity name * 93a7f4c88db159664664bd82d1d00e5e0033ac22 Possibility to skip checking writable according to metadata * 6d1374f7f82d144b8aa361e9e637c5388f8f7edb Added optional option in refreshing after modifying association table * bbca1d9219bfab9f204cb0217495cbd94b7098be Add property which allows refresh command to use url value * 042e113db9bc66dcd0da0d5e8b8d025212695705 Add possibility to pass url parameter to update command of details page * 2e6e0698865e7d530c6ebf87a12e46f990ac1d87 Extend _show command after _find command in table facets * 039a6f7b4ff392974408cb9e274f8a3777e009fd Possibility to set list of table attributes which will be added to _del command * 8dfe692251d38934a21ad3bc648d839d83e27caa Add possibility to hide only one tab in sidebar * de4d4a51b542b8e473919dbc14f7a0810944b544 WebUI: search facet's default actions might be overriden * 587b7324fb1f6899deb151c30662362c18c5258e WebUI: allow to show rows with same pkey in tables * 39d7ef3de4b0345274b4b8e8f6918e3b714879ad WebUI: add vault management * ab8c69f4c602c0eaefbb058c108428ca30a80e98 TESTS: Add support for KRA in ui_driver * 0808504ba1ab743acdf4231876d49c26dbae6621 TESTS: Add support for sidebar with facets * f95275748465ffacecfbf55ca2cd2fc54f3860b7 TESTS WebUI: Vaults management """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-286369632 From freeipa-github-notification at redhat.com Tue Mar 14 09:41:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 10:41:04 +0100 Subject: [Freeipa-devel] [freeipa PR#139][closed] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 From freeipa-github-notification at redhat.com Tue Mar 14 09:47:25 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 10:47:25 +0100 Subject: [Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-577.patch Type: text/x-diff Size: 1777 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 09:55:02 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Tue, 14 Mar 2017 10:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-575.patch Type: text/x-diff Size: 26197 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 09:55:15 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Mar 2017 10:55:15 +0100 Subject: [Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution pvoborni commented: """ ACK if backend won't change """ See the full comment at https://github.com/freeipa/freeipa/pull/577#issuecomment-286373214 From freeipa-github-notification at redhat.com Tue Mar 14 09:56:17 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Tue, 14 Mar 2017 10:56:17 +0100 Subject: [Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin sumit-bose commented: """ I updated the code to reflect the latest changes in the interface from https://github.com/krb5/krb5/pull/610. """ See the full comment at https://github.com/freeipa/freeipa/pull/575#issuecomment-286373480 From freeipa-github-notification at redhat.com Tue Mar 14 10:46:30 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 11:46:30 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution martbab commented: """ Server upgrade consists only from adding the objectclass to ipaConfig which is taken care of in the update file. The idview object schema is modified on-demand when the attribute is set. Is there something else I need to take care of? """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286385187 From freeipa-github-notification at redhat.com Tue Mar 14 11:07:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 12:07:41 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 yes the whole PKINIT setup logic on replica is flawed and will probably need to be moved into a later point in master/replica install. Can I re-use your PR and prepare a new one that will fix it properly? I will keep you the author of this commit if you wish. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286389719 From freeipa-github-notification at redhat.com Tue Mar 14 11:12:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 12:12:57 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution HonzaCholasta commented: """ IMO you should add the object class to all existing idviews on upgrade rather than add it on-demand. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286390880 From freeipa-github-notification at redhat.com Tue Mar 14 11:14:06 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 12:14:06 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Sure no prob """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286391140 From freeipa-github-notification at redhat.com Tue Mar 14 11:19:07 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 12:19:07 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286392161 From freeipa-github-notification at redhat.com Tue Mar 14 11:29:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 12:29:20 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution MartinBasti commented: """ @HonzaCholasta it will break in case when idview entry is created on older replica, so it is more safe to appending the objectclass dynamically """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286394244 From freeipa-github-notification at redhat.com Tue Mar 14 11:33:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 12:33:23 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution HonzaCholasta commented: """ Ah, right. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286395012 From freeipa-github-notification at redhat.com Tue Mar 14 11:58:12 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 12:58:12 +0100 Subject: [Freeipa-devel] [freeipa PR#568][+ack] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Title: #568: cert: include certificate chain in cert command output Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 11:58:13 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 12:58:13 +0100 Subject: [Freeipa-devel] [freeipa PR#568][comment] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Title: #568: cert: include certificate chain in cert command output dkupka commented: """ LGTM and works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/568#issuecomment-286400004 From freeipa-github-notification at redhat.com Tue Mar 14 11:59:25 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 12:59:25 +0100 Subject: [Freeipa-devel] [freeipa PR#568][+pushed] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Title: #568: cert: include certificate chain in cert command output Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 11:59:27 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 12:59:27 +0100 Subject: [Freeipa-devel] [freeipa PR#568][comment] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Title: #568: cert: include certificate chain in cert command output dkupka commented: """ master: * c60d9c9744b1f8a7b55bcdda65cce8bb36700bf6 cert: add output file option to cert-request * 8ed891cb619abd2efd428f767edf760ebf5eec5d cert: include certificate chain in cert command output """ See the full comment at https://github.com/freeipa/freeipa/pull/568#issuecomment-286400258 From freeipa-github-notification at redhat.com Tue Mar 14 11:59:28 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 12:59:28 +0100 Subject: [Freeipa-devel] [freeipa PR#568][closed] cert: include certificate chain in cert command output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/568 Author: HonzaCholasta Title: #568: cert: include certificate chain in cert command output Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/568/head:pr568 git checkout pr568 From freeipa-github-notification at redhat.com Tue Mar 14 12:01:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 13:01:39 +0100 Subject: [Freeipa-devel] [freeipa PR#580][+rejected] Fix KDC certificates export on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/580 Title: #580: Fix KDC certificates export on DL0 Label: +rejected From freeipa-github-notification at redhat.com Tue Mar 14 12:01:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 13:01:59 +0100 Subject: [Freeipa-devel] [freeipa PR#580][comment] Fix KDC certificates export on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/580 Title: #580: Fix KDC certificates export on DL0 stlaz commented: """ We should not care about KDC certificates at all on DL0. """ See the full comment at https://github.com/freeipa/freeipa/pull/580#issuecomment-286400760 From freeipa-github-notification at redhat.com Tue Mar 14 12:02:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 13:02:02 +0100 Subject: [Freeipa-devel] [freeipa PR#580][closed] Fix KDC certificates export on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/580 Author: stlaz Title: #580: Fix KDC certificates export on DL0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/580/head:pr580 git checkout pr580 From freeipa-github-notification at redhat.com Tue Mar 14 12:15:57 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 13:15:57 +0100 Subject: [Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-577.patch Type: text/x-diff Size: 1788 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 12:17:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 13:17:30 +0100 Subject: [Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution pvomacka commented: """ @simo5 I changed the subject, do you have any suggestion what you would like to see in commit message? I think that this is quite easy and self-explanatory patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/577#issuecomment-286404011 From freeipa-github-notification at redhat.com Tue Mar 14 12:20:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 13:20:13 +0100 Subject: [Freeipa-devel] [freeipa PR#579][comment] csrgen: hide cert-get-requestdata in CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/579 Title: #579: csrgen: hide cert-get-requestdata in CLI HonzaCholasta commented: """ master: * 72de679eb445c975ec70cd265d37d4927823ce5b csrgen: hide cert-get-requestdata in CLI """ See the full comment at https://github.com/freeipa/freeipa/pull/579#issuecomment-286404609 From freeipa-github-notification at redhat.com Tue Mar 14 12:20:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 13:20:15 +0100 Subject: [Freeipa-devel] [freeipa PR#579][+pushed] csrgen: hide cert-get-requestdata in CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/579 Title: #579: csrgen: hide cert-get-requestdata in CLI Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 12:20:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 13:20:16 +0100 Subject: [Freeipa-devel] [freeipa PR#579][closed] csrgen: hide cert-get-requestdata in CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/579 Author: HonzaCholasta Title: #579: csrgen: hide cert-get-requestdata in CLI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/579/head:pr579 git checkout pr579 From freeipa-github-notification at redhat.com Tue Mar 14 12:30:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 13:30:30 +0100 Subject: [Freeipa-devel] [freeipa PR#581][opened] Backup KDC certificate pair Message-ID: URL: https://github.com/freeipa/freeipa/pull/581 Author: stlaz Title: #581: Backup KDC certificate pair Action: opened PR body: """ KDC certificate pair was added but is not included in backup which might cause issues when restoring the IPA service. https://pagure.io/freeipa/issue/6748 This probably does not fix the issue as a whole but I am not sure if there's more that we can do on the IPA side. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/581/head:pr581 git checkout pr581 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-581.patch Type: text/x-diff Size: 929 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 14 12:51:19 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Mar 2017 13:51:19 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 Message-ID: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> Hello, DRAFT for FreeIPA 4.5.0 release notes is ready http://www.freeipa.org/page/Releases/4.5.0 Please update/let me know what is missing, what is extra. Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Mar 14 13:20:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 14:20:32 +0100 Subject: [Freeipa-devel] [freeipa PR#582][opened] Remove pkinit from ipa-replica-prepare Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Author: stlaz Title: #582: Remove pkinit from ipa-replica-prepare Action: opened PR body: """ The PKINIT feature is not available on domain level 0 so any options about pkinit are false. https://pagure.io/freeipa/issue/6759 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/582/head:pr582 git checkout pr582 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-582.patch Type: text/x-diff Size: 8651 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 13:24:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 14:24:29 +0100 Subject: [Freeipa-devel] [freeipa PR#569][+ack] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Title: #569: Remove copy-schema-to-ca.py from master branch Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 13:42:15 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 14:42:15 +0100 Subject: [Freeipa-devel] [freeipa PR#560][synchronized] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Author: dkupka Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/560/head:pr560 git checkout pr560 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-560.patch Type: text/x-diff Size: 1351 bytes Desc: not available URL: From jhrozek at redhat.com Tue Mar 14 13:50:37 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Mar 2017 14:50:37 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> Message-ID: <20170314135037.tqyncyzkgzi5o2lq@hendrix> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: > Hello, > > DRAFT for FreeIPA 4.5.0 release notes is ready > http://www.freeipa.org/page/Releases/4.5.0 > > Please update/let me know what is missing, what is extra. Please update this paragraph: ```` AD User Short Names Support for AD users short names has been added. Short names can be enabled from CLI by setting ipa config-mod --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" or from WebUI under Configuration tab. No manual configuration on SSSD side is required. ```` With a note that this feature is not supported by SSSD yet and the work is tracked with https://pagure.io/SSSD/sssd/issue/3210 From ldelouw at redhat.com Tue Mar 14 13:56:46 2017 From: ldelouw at redhat.com (Luc de Louw) Date: Tue, 14 Mar 2017 14:56:46 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <20170314135037.tqyncyzkgzi5o2lq@hendrix> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> Message-ID: <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> My 3 cents... "Please note that FIPS 140-2 support may not work on some platforms" -> Does is work in Fedora? Should be worth mention it so people are more encouraged to test it in Fedora before its getting to RHEL 7.4 Thanks, Luc On 03/14/2017 02:50 PM, Jakub Hrozek wrote: > On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >> Hello, >> >> DRAFT for FreeIPA 4.5.0 release notes is ready >> http://www.freeipa.org/page/Releases/4.5.0 >> >> Please update/let me know what is missing, what is extra. > > Please update this paragraph: > ```` > AD User Short Names > > Support for AD users short names has been added. Short > names can be enabled from CLI by setting ipa config-mod > --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" > or from WebUI under Configuration tab. No manual configuration on SSSD > side is required. > ```` > > With a note that this feature is not supported by SSSD yet and the work > is tracked with https://pagure.io/SSSD/sssd/issue/3210 > -- Luc de Louw Senior Linux Consultant Red Hat GmbH Am Treptower Park 75, 2nd floor D-12435 Berlin Email: ldelouw at redhat.com Cell Germany: +49 162 413 29 64 Cell Bahrain +973 33 54 79 77 Cell UAE +971 50 95 86 406 Cell Saudi Arabia +966 5540 98 525 Cell Austria: +43 66 47 96 90 47 Cell Switzerland: +41 78 664 58 13 Cell France: +33 609 18 57 09 Cell Netherlands: +31 6 21 48 18 67 Cell Uganda: +256 71 39 14 337 From freeipa-github-notification at redhat.com Tue Mar 14 14:03:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:03:09 +0100 Subject: [Freeipa-devel] [freeipa PR#574][closed] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Author: stlaz Title: #574: ipa-replica-prepare fix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/574/head:pr574 git checkout pr574 From freeipa-github-notification at redhat.com Tue Mar 14 14:03:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:03:10 +0100 Subject: [Freeipa-devel] [freeipa PR#574][+pushed] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 14:03:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:03:12 +0100 Subject: [Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/574 Title: #574: ipa-replica-prepare fix MartinBasti commented: """ master: * 992e6ecd1ff33f4f872e8f174bd426507c55f5c4 Fix ipa-replica-prepare server-cert creation * 8980f4098ebf6b62556e24f090718802d1e495d3 Don't fail more if cert req/cert creation failed """ See the full comment at https://github.com/freeipa/freeipa/pull/574#issuecomment-286430379 From abokovoy at redhat.com Tue Mar 14 14:06:54 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Mar 2017 16:06:54 +0200 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> Message-ID: <20170314140654.cubagocvpzio5iel@redhat.com> On ti, 14 maalis 2017, Luc de Louw wrote: >My 3 cents... > >"Please note that FIPS 140-2 support may not work on some platforms" > >-> Does is work in Fedora? Should be worth mention it so people are >more encouraged to test it in Fedora before its getting to RHEL 7.4 I think we should actually add an explicit statement for trust to AD not currently supporting FIPS 140-2 mode. -- / Alexander Bokovoy From flo at redhat.com Tue Mar 14 14:08:19 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Tue, 14 Mar 2017 15:08:19 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> Message-ID: <49366e50-7d33-2df2-a78a-bed50bdc5ec1@redhat.com> On 03/14/2017 01:51 PM, Martin Basti wrote: > Hello, > > DRAFT for FreeIPA 4.5.0 release notes is ready > http://www.freeipa.org/page/Releases/4.5.0 > > Please update/let me know what is missing, what is extra. > > > Martin^2 > > > > Hi Martin, thank you for the release notes. Could you update the section about Certificate Identity Mapping? ''' Certificate Identity Mapping Support for multiple certificates on Smart cards has been added. User can choose which certificate is used to authenticate. This allows to define multiple certificates per user. The same certificate can be used by different accounts, and the mapping between a certificate and an account can be done through binary match of the whole certificate or a match on custom certificate attributes (such as Subject + Issuer). ''' I also noted a typo: ''' Bug fixes Contains all bugfixes and enhacements ''' should be enhancements. Thank you, Flo From mbasti at redhat.com Tue Mar 14 14:12:38 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Mar 2017 15:12:38 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <49366e50-7d33-2df2-a78a-bed50bdc5ec1@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <49366e50-7d33-2df2-a78a-bed50bdc5ec1@redhat.com> Message-ID: <34ab5a7a-609a-e79a-a249-218570807124@redhat.com> On 14.03.2017 15:08, Florence Blanc-Renaud wrote: > On 03/14/2017 01:51 PM, Martin Basti wrote: >> Hello, >> >> DRAFT for FreeIPA 4.5.0 release notes is ready >> http://www.freeipa.org/page/Releases/4.5.0 >> >> Please update/let me know what is missing, what is extra. >> >> >> Martin^2 >> >> >> >> > Hi Martin, > > thank you for the release notes. Could you update the section about > Certificate Identity Mapping? > ''' > Certificate Identity Mapping > > Support for multiple certificates on Smart cards has been added. User > can choose which certificate is used to authenticate. This allows to > define multiple certificates per user. > The same certificate can be used by different accounts, and the > mapping between a certificate and an account can be done through > binary match of the whole certificate or a match on custom certificate > attributes (such as Subject + Issuer). > ''' > > I also noted a typo: > ''' > Bug fixes > Contains all bugfixes and enhacements > ''' > should be enhancements. > > Thank you, > Flo > > Thank you, updated -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Mar 14 14:12:58 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 15:12:58 +0100 Subject: [Freeipa-devel] [freeipa PR#559][+ack] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 14:12:59 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 15:12:59 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login dkupka commented: """ LGTM and works. """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286433331 From freeipa-github-notification at redhat.com Tue Mar 14 14:14:21 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 15:14:21 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login dkupka commented: """ master: * 75c592d3b9081474cae51c929e6af29c7a0eebb6 Support certificate login after installation and upgrade * 585547ee9478ea0173106d88d40d7807baab8bcf WebUI: add link to login page which for login using certificate """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286433787 From freeipa-github-notification at redhat.com Tue Mar 14 14:14:23 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 15:14:23 +0100 Subject: [Freeipa-devel] [freeipa PR#559][+pushed] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 14:14:24 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Mar 2017 15:14:24 +0100 Subject: [Freeipa-devel] [freeipa PR#559][closed] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 From mbasti at redhat.com Tue Mar 14 14:14:46 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Mar 2017 15:14:46 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> Message-ID: <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> On 14.03.2017 14:56, Luc de Louw wrote: > My 3 cents... > > "Please note that FIPS 140-2 support may not work on some platforms" > > -> Does is work in Fedora? Should be worth mention it so people are > more encouraged to test it in Fedora before its getting to RHEL 7.4 > > Thanks, > > Luc We cannot guarantee that FIPS mode will work with fedora, any package update may break it. > > > > On 03/14/2017 02:50 PM, Jakub Hrozek wrote: >> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >>> Hello, >>> >>> DRAFT for FreeIPA 4.5.0 release notes is ready >>> http://www.freeipa.org/page/Releases/4.5.0 >>> >>> Please update/let me know what is missing, what is extra. >> >> Please update this paragraph: >> ```` >> AD User Short Names >> >> Support for AD users short names has been added. Short >> names can be enabled from CLI by setting ipa config-mod >> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" >> or from WebUI under Configuration tab. No manual configuration on SSSD >> side is required. >> ```` >> >> With a note that this feature is not supported by SSSD yet and the work >> is tracked with https://pagure.io/SSSD/sssd/issue/3210 >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Tue Mar 14 14:15:03 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Mar 2017 15:15:03 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <20170314140654.cubagocvpzio5iel@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <20170314140654.cubagocvpzio5iel@redhat.com> Message-ID: <07e21d7a-ba69-3ec0-6c76-17bab3b8d439@redhat.com> On 14.03.2017 15:06, Alexander Bokovoy wrote: > On ti, 14 maalis 2017, Luc de Louw wrote: >> My 3 cents... >> >> "Please note that FIPS 140-2 support may not work on some platforms" >> >> -> Does is work in Fedora? Should be worth mention it so people are >> more encouraged to test it in Fedora before its getting to RHEL 7.4 > I think we should actually add an explicit statement for trust to AD not > currently supporting FIPS 140-2 mode. > I will add it to known issues -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Mar 14 14:16:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:16:48 +0100 Subject: [Freeipa-devel] [freeipa PR#569][+pushed] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Title: #569: Remove copy-schema-to-ca.py from master branch Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 14:16:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:16:50 +0100 Subject: [Freeipa-devel] [freeipa PR#569][comment] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Title: #569: Remove copy-schema-to-ca.py from master branch MartinBasti commented: """ master: * f4c7f1dd8a9ce530a8291219a904686ee47e59c7 Remove copy-schema-to-ca.py from master branch * ca5b53adccdd581bc39233378c422ca448e6edd2 Add copy-schema-to-ca for RHEL6 to contrib/ """ See the full comment at https://github.com/freeipa/freeipa/pull/569#issuecomment-286434510 From freeipa-github-notification at redhat.com Tue Mar 14 14:16:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:16:51 +0100 Subject: [Freeipa-devel] [freeipa PR#569][closed] Remove copy-schema-to-ca.py from master branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569 From freeipa-github-notification at redhat.com Tue Mar 14 14:35:04 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Tue, 14 Mar 2017 15:35:04 +0100 Subject: [Freeipa-devel] [freeipa PR#583][opened] ipaplatform/debian/services: Fix is_running arguments. Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Author: tjaalton Title: #583: ipaplatform/debian/services: Fix is_running arguments. Action: opened PR body: """ Brown paper bag moment, discovered when trying to install 4.4.x. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/583/head:pr583 git checkout pr583 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-583.patch Type: text/x-diff Size: 883 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 14:43:34 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Tue, 14 Mar 2017 15:43:34 +0100 Subject: [Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Author: tjaalton Title: #583: ipaplatform/debian/services: Fix is_running arguments. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/583/head:pr583 git checkout pr583 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-583.patch Type: text/x-diff Size: 1770 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 14:49:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 15:49:13 +0100 Subject: [Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare MartinBasti commented: """ Works for me. @abbra @simo5 do you have any objections? """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286444597 From freeipa-github-notification at redhat.com Tue Mar 14 14:54:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 15:54:53 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias stlaz commented: """ It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is currently failing so I can't confirm that's ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500 From freeipa-github-notification at redhat.com Tue Mar 14 14:56:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 15:56:40 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias stlaz commented: """ It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is currently failing so I can't confirm that's ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500 From freeipa-github-notification at redhat.com Tue Mar 14 14:57:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 15:57:40 +0100 Subject: [Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 14:58:40 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 14 Mar 2017 15:58:40 +0100 Subject: [Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare abbra commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286447734 From freeipa-github-notification at redhat.com Tue Mar 14 14:59:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 15:59:58 +0100 Subject: [Freeipa-devel] [freeipa PR#531][-ack] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Label: -ack From freeipa-github-notification at redhat.com Tue Mar 14 15:00:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 16:00:39 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching tiran commented: """ @simo5 please resolve the merge conflict """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-286448385 From freeipa-github-notification at redhat.com Tue Mar 14 15:01:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 16:01:16 +0100 Subject: [Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare HonzaCholasta commented: """ The options were available since forever, so I guess you should just hide them instead of removing them. The same options are still available in domain level 0 `ipa-server-install` - is this intentional? """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286448587 From freeipa-github-notification at redhat.com Tue Mar 14 15:01:34 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 16:01:34 +0100 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 7349 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:02:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 16:02:16 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ sigh, template markers aren't picked up automatically. I fixed ```init/systemd/Makefile.am```. """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-286448906 From freeipa-github-notification at redhat.com Tue Mar 14 15:05:03 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 14 Mar 2017 16:05:03 +0100 Subject: [Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare abbra commented: """ They were in DL0 in `ipa-server-install` for very long time and never worked. We left them there to make sure we can get them back to work sometime later. We did but in new design `ipa-replica-prepare` does not need to use these options, unlike `ipa-server-install`. """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286449785 From slaznick at redhat.com Tue Mar 14 15:07:21 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 14 Mar 2017 16:07:21 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> Message-ID: <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> On 03/14/2017 03:14 PM, Martin Basti wrote: > On 14.03.2017 14:56, Luc de Louw wrote: >> My 3 cents... >> >> "Please note that FIPS 140-2 support may not work on some platforms" >> >> -> Does is work in Fedora? Should be worth mention it so people are >> more encouraged to test it in Fedora before its getting to RHEL 7.4 >> >> Thanks, >> >> Luc > We cannot guarantee that FIPS mode will work with fedora, any package > update may break it. Fedora itself is not capable of running in FIPS mode so there's no point adding it there. > >> On 03/14/2017 02:50 PM, Jakub Hrozek wrote: >>> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >>>> Hello, >>>> >>>> DRAFT for FreeIPA 4.5.0 release notes is ready >>>> http://www.freeipa.org/page/Releases/4.5.0 >>>> >>>> Please update/let me know what is missing, what is extra. >>> Please update this paragraph: >>> ```` >>> AD User Short Names >>> >>> Support for AD users short names has been added. Short >>> names can be enabled from CLI by setting ipa config-mod >>> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" >>> or from WebUI under Configuration tab. No manual configuration on SSSD >>> side is required. >>> ```` >>> >>> With a note that this feature is not supported by SSSD yet and the work >>> is tracked with https://pagure.io/SSSD/sssd/issue/3210 >>> From freeipa-github-notification at redhat.com Tue Mar 14 15:12:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 16:12:10 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation tiran commented: """ @LiptonB needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-286452115 From freeipa-github-notification at redhat.com Tue Mar 14 15:13:48 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 16:13:48 +0100 Subject: [Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-573.patch Type: text/x-diff Size: 23712 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:16:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 16:16:21 +0100 Subject: [Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-573.patch Type: text/x-diff Size: 23712 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:19:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 16:19:02 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution martbab commented: """ PR rebased, I have fixed bugs in ID view objectclass handling and re-used the trusted domain retrieval code in certmap plugin. This is a separate commit so it can be removed if necessary. I have noticed that with current PR we can not add the domain resolution order to Default Trust View, as it is protected from both modification and removal. @abbra is this expected also in this case? """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286454496 From rcritten at redhat.com Tue Mar 14 15:21:20 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Mar 2017 11:21:20 -0400 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> Message-ID: <0a22934b-caae-f960-24b0-7c52a7338cd5@redhat.com> Standa Laznicka wrote: > On 03/14/2017 03:14 PM, Martin Basti wrote: >> On 14.03.2017 14:56, Luc de Louw wrote: >>> My 3 cents... >>> >>> "Please note that FIPS 140-2 support may not work on some platforms" >>> >>> -> Does is work in Fedora? Should be worth mention it so people are >>> more encouraged to test it in Fedora before its getting to RHEL 7.4 >>> >>> Thanks, >>> >>> Luc >> We cannot guarantee that FIPS mode will work with fedora, any package >> update may break it. > Fedora itself is not capable of running in FIPS mode so there's no point > adding it there. I can't believe this is correct. Did you try it and it failed? Did you file bugs? The dracut-fips and dracut-fips-aesni packages are both available. # cat /etc/redhat-release Fedora release 25 (Twenty Five) # sysctl crypto.fips_enabled crypto.fips_enabled = 0 So the basic stuff is there and the kernel knows what FIPS is. Any NSS-based application can enable FIPS-mode independently of the kernel via modutil or application-specific settings (e.g. NSSFIPS in mod_nss). rob From freeipa-github-notification at redhat.com Tue Mar 14 15:24:38 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 14 Mar 2017 16:24:38 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution abbra commented: """ Yes, it is expected too. Remember that 'Default Trust View' is a view that applies globally. You have already global setting to apply. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286456329 From mbasti at redhat.com Tue Mar 14 15:24:59 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Mar 2017 16:24:59 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <20170314135037.tqyncyzkgzi5o2lq@hendrix> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> Message-ID: <10f549fa-a87e-18b2-c772-ac7970922f10@redhat.com> On 14.03.2017 14:50, Jakub Hrozek wrote: > On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >> Hello, >> >> DRAFT for FreeIPA 4.5.0 release notes is ready >> http://www.freeipa.org/page/Releases/4.5.0 >> >> Please update/let me know what is missing, what is extra. > Please update this paragraph: > ```` > AD User Short Names > > Support for AD users short names has been added. Short > names can be enabled from CLI by setting ipa config-mod > --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" > or from WebUI under Configuration tab. No manual configuration on SSSD > side is required. > ```` > > With a note that this feature is not supported by SSSD yet and the work > is tracked with https://pagure.io/SSSD/sssd/issue/3210 > I updated that section. Shouldn't we remove it completely from release notes because it will not work until new SSSD is released? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:25:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 16:25:39 +0100 Subject: [Freeipa-devel] [freeipa PR#538][synchronized] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Author: tiran Title: #538: Run test_ipaclient test suite Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/538/head:pr538 git checkout pr538 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-538.patch Type: text/x-diff Size: 645 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:25:46 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Tue, 14 Mar 2017 16:25:46 +0100 Subject: [Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Author: tjaalton Title: #583: ipaplatform/debian/services: Fix is_running arguments. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/583/head:pr583 git checkout pr583 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-583.patch Type: text/x-diff Size: 2754 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 15:28:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 16:28:05 +0100 Subject: [Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 15:29:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Mar 2017 16:29:18 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias stlaz commented: """ I rebased your patchset on current master and put the uninstallation of `ipa_memcached` into a multipass block and all seems to work now. """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-286457931 From freeipa-github-notification at redhat.com Tue Mar 14 15:32:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 16:32:14 +0100 Subject: [Freeipa-devel] [freeipa PR#584][opened] Improve the implementation of PKINIT certificate retrieval Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Author: martbab Title: #584: Improve the implementation of PKINIT certificate retrieval Action: opened PR body: """ The original PKINIT cert request code contained numerous defects, namely: * nearly absent handling of rejected requests and CA errors which resulted e.g. in an unusable WebUI after replica installation and * certificate request logic that was not consistent with the rest of the installers (DS, HTTP for example): what caused hard errors in their case went unnoticed in PKINIT setup This PR consolidates this code so that errors arising from CA rejecting the PKINIT cert request cause the installers to abort immediately. The PKINIT step was also split into a separate method executed before LDAP updates. The name was chosen to be `enable_ssl` in order to make the planned refactoring of certificate requesting code (https://pagure.io/freeipa/issue/6429) easier: the method name is not accurate but at least it is consistent with e.g. LDAP installer co the common code can be grepper with greater ease. https://pagure.io/freeipa/issue/6739 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/584/head:pr584 git checkout pr584 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-584.patch Type: text/x-diff Size: 13283 bytes Desc: not available URL: From slaznick at redhat.com Tue Mar 14 15:37:32 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 14 Mar 2017 16:37:32 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <0a22934b-caae-f960-24b0-7c52a7338cd5@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> <0a22934b-caae-f960-24b0-7c52a7338cd5@redhat.com> Message-ID: On 03/14/2017 04:21 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> On 03/14/2017 03:14 PM, Martin Basti wrote: >>> On 14.03.2017 14:56, Luc de Louw wrote: >>>> My 3 cents... >>>> >>>> "Please note that FIPS 140-2 support may not work on some platforms" >>>> >>>> -> Does is work in Fedora? Should be worth mention it so people are >>>> more encouraged to test it in Fedora before its getting to RHEL 7.4 >>>> >>>> Thanks, >>>> >>>> Luc >>> We cannot guarantee that FIPS mode will work with fedora, any package >>> update may break it. >> Fedora itself is not capable of running in FIPS mode so there's no point >> adding it there. > I can't believe this is correct. Did you try it and it failed? Did you > file bugs? Yes, yes and no. Please see the header at this page: https://fedoraproject.org/wiki/FedoraCryptoConsolidation We tried to set up Fedora for FIPS in RHEV but the machine would not even start. > > The dracut-fips and dracut-fips-aesni packages are both available. > > # cat /etc/redhat-release > Fedora release 25 (Twenty Five) > # sysctl crypto.fips_enabled > crypto.fips_enabled = 0 > > So the basic stuff is there and the kernel knows what FIPS is. > > Any NSS-based application can enable FIPS-mode independently of the > kernel via modutil or application-specific settings (e.g. NSSFIPS in > mod_nss). > > rob From freeipa-github-notification at redhat.com Tue Mar 14 15:49:10 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 14 Mar 2017 16:49:10 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution martbab commented: """ Ok thanks for explanation. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286464608 From pvoborni at redhat.com Tue Mar 14 15:52:01 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Mar 2017 16:52:01 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <10f549fa-a87e-18b2-c772-ac7970922f10@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <10f549fa-a87e-18b2-c772-ac7970922f10@redhat.com> Message-ID: <2515d655-c83c-6e21-08b9-5d6384f7329b@redhat.com> On 03/14/2017 04:24 PM, Martin Basti wrote: > > > On 14.03.2017 14:50, Jakub Hrozek wrote: >> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >>> Hello, >>> >>> DRAFT for FreeIPA 4.5.0 release notes is ready >>> http://www.freeipa.org/page/Releases/4.5.0 >>> >>> Please update/let me know what is missing, what is extra. >> Please update this paragraph: >> ```` >> AD User Short Names >> >> Support for AD users short names has been added. Short >> names can be enabled from CLI by setting ipa config-mod >> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" >> or from WebUI under Configuration tab. No manual configuration on SSSD >> side is required. >> ```` >> >> With a note that this feature is not supported by SSSD yet and the work >> is tracked with https://pagure.io/SSSD/sssd/issue/3210 >> > I updated that section. Shouldn't we remove it completely from release > notes because it will not work until new SSSD is released? > I'd keep it there and add Jakub's comment. It will be useful when SSSD with the support is released. -- Petr Vobornik From freeipa-github-notification at redhat.com Tue Mar 14 15:55:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Mar 2017 16:55:06 +0100 Subject: [Freeipa-devel] [freeipa PR#538][+ack] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Title: #538: Run test_ipaclient test suite Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 15:58:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 16:58:28 +0100 Subject: [Freeipa-devel] [freeipa PR#581][+ack] Backup KDC certificate pair In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/581 Title: #581: Backup KDC certificate pair Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 16:02:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:02:31 +0100 Subject: [Freeipa-devel] [freeipa PR#583][+ack] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Title: #583: ipaplatform/debian/services: Fix is_running arguments. Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 16:09:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:09:33 +0100 Subject: [Freeipa-devel] [freeipa PR#583][+pushed] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Title: #583: ipaplatform/debian/services: Fix is_running arguments. Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 16:09:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:09:35 +0100 Subject: [Freeipa-devel] [freeipa PR#583][comment] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Title: #583: ipaplatform/debian/services: Fix is_running arguments. MartinBasti commented: """ master: * 1a47fcd3ee7fe2878c77de0729e422c40a457600 ipaplatform/debian/services: Fix is_running arguments. * 71db8c264e38502e80f05e9cb234185049450b62 ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY. * c194f74b12a92e3beb01f36b5cbe20255d8247c5 ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB. """ See the full comment at https://github.com/freeipa/freeipa/pull/583#issuecomment-286471518 From freeipa-github-notification at redhat.com Tue Mar 14 16:09:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:09:36 +0100 Subject: [Freeipa-devel] [freeipa PR#583][closed] ipaplatform/debian/services: Fix is_running arguments. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/583 Author: tjaalton Title: #583: ipaplatform/debian/services: Fix is_running arguments. Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/583/head:pr583 git checkout pr583 From freeipa-github-notification at redhat.com Tue Mar 14 16:10:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:10:26 +0100 Subject: [Freeipa-devel] [freeipa PR#581][comment] Backup KDC certificate pair In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/581 Title: #581: Backup KDC certificate pair MartinBasti commented: """ master: * ee6d031a6a0939c1f51a874b1f8f9b19ec727203 Backup KDC certificate pair """ See the full comment at https://github.com/freeipa/freeipa/pull/581#issuecomment-286471815 From freeipa-github-notification at redhat.com Tue Mar 14 16:10:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:10:27 +0100 Subject: [Freeipa-devel] [freeipa PR#581][+pushed] Backup KDC certificate pair In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/581 Title: #581: Backup KDC certificate pair Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 16:10:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:10:29 +0100 Subject: [Freeipa-devel] [freeipa PR#581][closed] Backup KDC certificate pair In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/581 Author: stlaz Title: #581: Backup KDC certificate pair Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/581/head:pr581 git checkout pr581 From freeipa-github-notification at redhat.com Tue Mar 14 16:12:19 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 17:12:19 +0100 Subject: [Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-577.patch Type: text/x-diff Size: 1788 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:12:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:12:44 +0100 Subject: [Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias MartinBasti commented: """ master: * f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 httpinstance: disable system trust module in /etc/httpd/alias """ See the full comment at https://github.com/freeipa/freeipa/pull/531#issuecomment-286472486 From freeipa-github-notification at redhat.com Tue Mar 14 16:12:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:12:45 +0100 Subject: [Freeipa-devel] [freeipa PR#531][+pushed] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 16:12:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:12:46 +0100 Subject: [Freeipa-devel] [freeipa PR#531][closed] httpinstance: disable system trust module in /etc/httpd/alias In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: disable system trust module in /etc/httpd/alias Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531 From freeipa-github-notification at redhat.com Tue Mar 14 16:14:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:14:52 +0100 Subject: [Freeipa-devel] [freeipa PR#538][comment] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Title: #538: Run test_ipaclient test suite MartinBasti commented: """ master: * 08fc9d7a68220fc147177e6f757387823fea0f43 Run test_ipaclient test suite """ See the full comment at https://github.com/freeipa/freeipa/pull/538#issuecomment-286473191 From freeipa-github-notification at redhat.com Tue Mar 14 16:14:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:14:54 +0100 Subject: [Freeipa-devel] [freeipa PR#538][+pushed] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Title: #538: Run test_ipaclient test suite Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 16:14:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 17:14:55 +0100 Subject: [Freeipa-devel] [freeipa PR#538][closed] Run test_ipaclient test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/538 Author: tiran Title: #538: Run test_ipaclient test suite Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/538/head:pr538 git checkout pr538 From freeipa-github-notification at redhat.com Tue Mar 14 16:30:37 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:30:37 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ NACK NACK NACK Pleas revert the change to the gssproxy template, it undoes half the work done in privilege separation """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478501 From freeipa-github-notification at redhat.com Tue Mar 14 16:31:17 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:31:17 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ You need to wait to get th gssproxy fix I've been developing today and set the minimum gssproxy version to the one with the fix once we get to publish it """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478736 From freeipa-github-notification at redhat.com Tue Mar 14 16:31:26 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:31:26 +0100 Subject: [Freeipa-devel] [freeipa PR#559][reopened] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 From freeipa-github-notification at redhat.com Tue Mar 14 16:31:47 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:31:47 +0100 Subject: [Freeipa-devel] [freeipa PR#559][-ack] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: -ack From freeipa-github-notification at redhat.com Tue Mar 14 16:47:24 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 17:47:24 +0100 Subject: [Freeipa-devel] [freeipa PR#585][opened] Remove allow_constrained_delegation from gssproxy.conf Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: opened PR body: """ This change reverts option which breaks priviledge separation. https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-585.patch Type: text/x-diff Size: 825 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:53:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 17:53:25 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6828 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:54:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 17:54:25 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6828 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:54:57 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:54:57 +0100 Subject: [Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf simo5 commented: """ Please change commit message to: The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. """ See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668 From freeipa-github-notification at redhat.com Tue Mar 14 16:56:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 17:56:23 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ The PR got three +1 / heart and not -1. I propose to get it merged for 4.5 today. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286487177 From freeipa-github-notification at redhat.com Tue Mar 14 16:56:32 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 17:56:32 +0100 Subject: [Freeipa-devel] [freeipa PR#585][synchronized] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-585.patch Type: text/x-diff Size: 902 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:57:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 17:57:09 +0100 Subject: [Freeipa-devel] [freeipa PR#586][opened] Ignore ipapython/.DEFAULT_PLUGINS Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Author: tiran Title: #586: Ignore ipapython/.DEFAULT_PLUGINS Action: opened PR body: """ Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/586/head:pr586 git checkout pr586 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-586.patch Type: text/x-diff Size: 582 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:58:48 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 17:58:48 +0100 Subject: [Freeipa-devel] [freeipa PR#585][synchronized] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-585.patch Type: text/x-diff Size: 1039 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 16:59:51 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 17:59:51 +0100 Subject: [Freeipa-devel] [freeipa PR#585][+ack] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 17:00:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 18:00:58 +0100 Subject: [Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Title: #433: csrgen: Allow some certificate fields to be specified by the user tiran commented: """ @LiptonB please resolve conflicts """ See the full comment at https://github.com/freeipa/freeipa/pull/433#issuecomment-286489002 From freeipa-github-notification at redhat.com Tue Mar 14 17:01:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 18:01:06 +0100 Subject: [Freeipa-devel] [freeipa PR#586][comment] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS HonzaCholasta commented: """ LGTM. Please use https://pagure.io/freeipa/issue/6597 as ticket link in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/586#issuecomment-286489040 From freeipa-github-notification at redhat.com Tue Mar 14 17:04:42 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Mar 2017 18:04:42 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login pvomacka commented: """ Removed in https://github.com/freeipa/freeipa/pull/585 once it will be pushed I will close this one again. """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286490161 From freeipa-github-notification at redhat.com Tue Mar 14 17:11:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 18:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 6619 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 17:21:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:21:16 +0100 Subject: [Freeipa-devel] [freeipa PR#573][+ack] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 17:21:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 18:21:23 +0100 Subject: [Freeipa-devel] [freeipa PR#587][opened] Python 3: Fix session storage Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Author: tiran Title: #587: Python 3: Fix session storage Action: opened PR body: """ ctypes can only handle bytes, not text. Encode and decode all incoming and outgoing text from UTF-8 to bytes. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/587/head:pr587 git checkout pr587 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-587.patch Type: text/x-diff Size: 2165 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 17:21:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 18:21:39 +0100 Subject: [Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage tiran commented: """ @simo5 is UTF-8 correct or are keys and values ASCII only? """ See the full comment at https://github.com/freeipa/freeipa/pull/587#issuecomment-286495619 From freeipa-github-notification at redhat.com Tue Mar 14 17:35:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:35:02 +0100 Subject: [Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval MartinBasti commented: """ Since I applied this PR, I cannot pass through failing client side installation: ``` Forwarding 'ping' to json server 'https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json' Cannot connect to the server due to Kerberos error: No valid Negotiate header in server response. Trying with delegate=True trying https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json Forwarding 'ping' to json server 'https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json' Second connect with delegate=True also failed: No valid Negotiate header in server response Installation failed. As this is IPA server, changes will not be rolled back. Cannot connect to the IPA server RPC interface: No valid Negotiate header in server response The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Configuration of client side components failed! ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/584#issuecomment-286499793 From freeipa-github-notification at redhat.com Tue Mar 14 17:37:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:37:36 +0100 Subject: [Freeipa-devel] [freeipa PR#573][+pushed] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 17:37:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:37:37 +0100 Subject: [Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution MartinBasti commented: """ master: * 594c87daf873ceec0c0cf3464bcb1aadb9f2b92a Short name resolution: introduce the required schema * 1b5f56d15455b6019dd532cb9635fa2c44cb0022 ipaconfig: add the ability to manipulate domain resolution order * 544d66b7109300e570fb6849f0f9bab8020f3b66 idview: add domain_resolution_order attribute * 4e5e3eebb223b7f2760e21f22e42775982104b0d Re-use trust domain retrieval code in certmap validators """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecomment-286500632 From freeipa-github-notification at redhat.com Tue Mar 14 17:37:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:37:38 +0100 Subject: [Freeipa-devel] [freeipa PR#573][closed] Provide centralized management of user short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/573 Author: martbab Title: #573: Provide centralized management of user short name resolution Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/573/head:pr573 git checkout pr573 From freeipa-github-notification at redhat.com Tue Mar 14 17:45:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:45:02 +0100 Subject: [Freeipa-devel] [freeipa PR#577][+ack] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 17:45:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:45:51 +0100 Subject: [Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution MartinBasti commented: """ master: * 2c194d793cd588d595c5ff639fbf5dac93e50e23 WebUI: Add support for management of user short name resolution """ See the full comment at https://github.com/freeipa/freeipa/pull/577#issuecomment-286503256 From freeipa-github-notification at redhat.com Tue Mar 14 17:45:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:45:52 +0100 Subject: [Freeipa-devel] [freeipa PR#577][+pushed] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 17:45:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:45:54 +0100 Subject: [Freeipa-devel] [freeipa PR#577][closed] WebUI: Add support for AD users short name resolution In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/577 Author: pvomacka Title: #577: WebUI: Add support for AD users short name resolution Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/577/head:pr577 git checkout pr577 From freeipa-github-notification at redhat.com Tue Mar 14 17:56:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:56:33 +0100 Subject: [Freeipa-devel] [freeipa PR#585][+pushed] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 14 17:56:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:56:34 +0100 Subject: [Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf MartinBasti commented: """ master: * f4cd61f3011877fc9cc2a809438059b07362b0aa Remove allow_constrained_delegation from gssproxy.conf """ See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286506677 From freeipa-github-notification at redhat.com Tue Mar 14 17:56:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:56:35 +0100 Subject: [Freeipa-devel] [freeipa PR#585][closed] Remove allow_constrained_delegation from gssproxy.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585 From freeipa-github-notification at redhat.com Tue Mar 14 17:57:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:57:41 +0100 Subject: [Freeipa-devel] [freeipa PR#559][+ack] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 17:58:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:58:02 +0100 Subject: [Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login MartinBasti commented: """ #585 was pushed """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286507175 From freeipa-github-notification at redhat.com Tue Mar 14 17:58:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Mar 2017 18:58:03 +0100 Subject: [Freeipa-devel] [freeipa PR#559][closed] WebUI: Certificate login In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 From freeipa-github-notification at redhat.com Tue Mar 14 18:35:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Mar 2017 19:35:44 +0100 Subject: [Freeipa-devel] [freeipa PR#588][opened] CONFIGURE: Properly detect libpopt on el7 Message-ID: URL: https://github.com/freeipa/freeipa/pull/588 Author: HonzaCholasta Title: #588: CONFIGURE: Properly detect libpopt on el7 Action: opened PR body: """ libpopt added pkg-config file in 1.16 but there are still distributions which has older version of library (el6, el7). And new features from libpopt are not used anywhere. Configure should try to detect as much as possible and users should not use workarounds with explicitely enabled variables as parameters e.g. ./configure POPT_LIBS="-lpopt " This change originating from PR #494 is required to make building upstream IPA possible on RHEL/CentOS 7. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/588/head:pr588 git checkout pr588 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-588.patch Type: text/x-diff Size: 1370 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 18:36:23 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 19:36:23 +0100 Subject: [Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage simo5 commented: """ Technically principal names could use any encoding ... but we make the assumption they are utf-8 in freeIPA, so this should be ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/587#issuecomment-286518991 From freeipa-github-notification at redhat.com Tue Mar 14 18:36:31 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Mar 2017 19:36:31 +0100 Subject: [Freeipa-devel] [freeipa PR#587][+ack] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage Label: +ack From freeipa-github-notification at redhat.com Tue Mar 14 19:17:12 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 14 Mar 2017 20:17:12 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (14/03/17 09:56), Christian Heimes wrote: >The PR got three +1 / heart and not -1. I propose to get it merged for 4.5 today. > I cannot see 3-times +1 in this PR. I can see just 2 reviewers in top right corner * lslebodn requested changes * tomaskrizek approved these changes Is there any reason why upstream discussion is not accepted? https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html LS """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286530703 From rcritten at redhat.com Tue Mar 14 19:42:27 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Mar 2017 15:42:27 -0400 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> <0a22934b-caae-f960-24b0-7c52a7338cd5@redhat.com> Message-ID: Standa Laznicka wrote: > On 03/14/2017 04:21 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> On 03/14/2017 03:14 PM, Martin Basti wrote: >>>> On 14.03.2017 14:56, Luc de Louw wrote: >>>>> My 3 cents... >>>>> >>>>> "Please note that FIPS 140-2 support may not work on some platforms" >>>>> >>>>> -> Does is work in Fedora? Should be worth mention it so people are >>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4 >>>>> >>>>> Thanks, >>>>> >>>>> Luc >>>> We cannot guarantee that FIPS mode will work with fedora, any package >>>> update may break it. >>> Fedora itself is not capable of running in FIPS mode so there's no point >>> adding it there. >> I can't believe this is correct. Did you try it and it failed? Did you >> file bugs? > Yes, yes and no. Please see the header at this page: > https://fedoraproject.org/wiki/FedoraCryptoConsolidation Um, ok? What do shared certs and centralized crypto policies have to do with FIPS not working in Fedora? > We tried to set up Fedora for FIPS in RHEV but the machine would not > even start. Fedora 25 works for me in libvirt. crypto.fips_enabled is 1. It is enforcing it too, md5sum fails because FIPS is enabled. So if it isn't working for you then bugs are required. rob >> >> The dracut-fips and dracut-fips-aesni packages are both available. >> >> # cat /etc/redhat-release >> Fedora release 25 (Twenty Five) >> # sysctl crypto.fips_enabled >> crypto.fips_enabled = 0 >> >> So the basic stuff is there and the kernel knows what FIPS is. >> >> Any NSS-based application can enable FIPS-mode independently of the >> kernel via modutil or application-specific settings (e.g. NSSFIPS in >> mod_nss). >> >> rob > > From mharmsen at redhat.com Tue Mar 14 21:43:42 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 14 Mar 2017 15:43:42 -0600 Subject: [Freeipa-devel] Karma Requests for tomcatjss-7.2.1-1 Message-ID: Everyone, Sorry, due to a dependency glitch, tomcatjss needed to be re-spun again (please ignore previous tomcatjss Karma emails): *The following updated candidate builds of tomcatjss 7.2.1 were generated:* * *Fedora 25:* o *tomcatjss-7.2.1-1.fc25 * * *Fedora 26:* o *tomcatjss-7.2.1-1.fc26 * * *Fedora 27:* o *tomcatjss-7.2.1-1.fc27 * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-122cb7e152 tomcatjss-7.2.1-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2363353a6d tomcatjss-7.2.1-1.fc26 * -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Mar 14 22:51:23 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Tue, 14 Mar 2017 23:51:23 +0100 Subject: [Freeipa-devel] [freeipa PR#589][opened] ipaplatform/debian/paths: Add some missing values. Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Author: tjaalton Title: #589: ipaplatform/debian/paths: Add some missing values. Action: opened PR body: """ Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/589/head:pr589 git checkout pr589 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-589.patch Type: text/x-diff Size: 1648 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 22:57:05 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Mar 2017 23:57:05 +0100 Subject: [Freeipa-devel] [freeipa PR#586][synchronized] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Author: tiran Title: #586: Ignore ipapython/.DEFAULT_PLUGINS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/586/head:pr586 git checkout pr586 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-586.patch Type: text/x-diff Size: 620 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 23:05:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 00:05:00 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ https://github.com/freeipa/freeipa/pull/502#issue-209980292 two thumbs up, one heart, no thumbs down """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286589361 From freeipa-github-notification at redhat.com Tue Mar 14 23:33:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 00:33:01 +0100 Subject: [Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 12759 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 23:35:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 00:35:09 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests tiran commented: """ @martbab I've cleanup up some white space noise and squashed all commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-286595358 From freeipa-github-notification at redhat.com Tue Mar 14 23:36:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 00:36:00 +0100 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 17036 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 14 23:36:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 00:36:43 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ I've moved the code to cert.py and raise SkipPluginModule from there. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-286595688 From ftweedal at redhat.com Tue Mar 14 23:49:14 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Mar 2017 09:49:14 +1000 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> Message-ID: <20170314234914.GO10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: > Hello, > > DRAFT for FreeIPA 4.5.0 release notes is ready > http://www.freeipa.org/page/Releases/4.5.0 > > Please update/let me know what is missing, what is extra. > > > Martin^2 > I think we should add https://pagure.io/freeipa/issue/2614 to the `Enhancements' section. There is no design page for it but it was a big effort and it gives the deployer complete control over the IPA CA subject DN (previously this was very restricted). Thanks, Fraser From freeipa-github-notification at redhat.com Wed Mar 15 06:12:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:12:00 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional HonzaCholasta commented: """ This PR makes packaging IPA 4.5 on RHEL 7 easier for me, so thumbs up from me. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286650409 From freeipa-github-notification at redhat.com Wed Mar 15 06:12:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:12:21 +0100 Subject: [Freeipa-devel] [freeipa PR#586][+ack] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 06:12:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:12:57 +0100 Subject: [Freeipa-devel] [freeipa PR#586][+pushed] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 06:12:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:12:58 +0100 Subject: [Freeipa-devel] [freeipa PR#586][comment] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS HonzaCholasta commented: """ master: * a30d31b0c6122b44e1b4e84451e4196c3d0d7fe7 Ignore ipapython/.DEFAULT_PLUGINS """ See the full comment at https://github.com/freeipa/freeipa/pull/586#issuecomment-286650542 From freeipa-github-notification at redhat.com Wed Mar 15 06:13:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:13:00 +0100 Subject: [Freeipa-devel] [freeipa PR#586][closed] Ignore ipapython/.DEFAULT_PLUGINS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/586 Author: tiran Title: #586: Ignore ipapython/.DEFAULT_PLUGINS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/586/head:pr586 git checkout pr586 From freeipa-github-notification at redhat.com Wed Mar 15 06:32:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 07:32:57 +0100 Subject: [Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval martbab commented: """ @simo5 are you OK with @abbra's inline suggestions (it is your commit after all :))? @MartinBasti hmmm I will try to reproduce the issue with fresh VMs. """ See the full comment at https://github.com/freeipa/freeipa/pull/584#issuecomment-286653324 From freeipa-github-notification at redhat.com Wed Mar 15 06:47:48 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 07:47:48 +0100 Subject: [Freeipa-devel] [freeipa PR#590][opened] Validate user input for cert-get-requestdata Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Author: Akasurde Title: #590: Validate user input for cert-get-requestdata Action: opened PR body: """ Fix adds validatation for Principal and CSR generation tool values Fixes https://pagure.io/freeipa/issue/6742 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/590/head:pr590 git checkout pr590 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-590.patch Type: text/x-diff Size: 1599 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 06:49:07 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 07:49:07 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request Akasurde commented: """ @HonzaCholasta ping """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-286655805 From freeipa-github-notification at redhat.com Wed Mar 15 06:56:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 07:56:26 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request HonzaCholasta commented: """ I agree with @frasertweedale, but we can't remove the option from the server plugin altogether, as pre-4.4 clients always send it. You can hide the option by adding the `no_option` flag in the param definition. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-286656963 From freeipa-github-notification at redhat.com Wed Mar 15 07:19:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 08:19:51 +0100 Subject: [Freeipa-devel] [freeipa PR#591][opened] spec file: add unconditional python-setuptools BuildRequires Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Author: HonzaCholasta Title: #591: spec file: add unconditional python-setuptools BuildRequires Action: opened PR body: """ python-setuptools is required not only for lint, but to make the build possible at all. Move the python-setuptools BuildRequires from the lint section to the main section. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/591/head:pr591 git checkout pr591 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-591.patch Type: text/x-diff Size: 1588 bytes Desc: not available URL: From slaznick at redhat.com Wed Mar 15 07:19:51 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 15 Mar 2017 08:19:51 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314135037.tqyncyzkgzi5o2lq@hendrix> <70cc30c6-0bec-6931-c201-c612c4c6a665@redhat.com> <115288e8-5461-5629-214b-4ca88abc7342@redhat.com> <26125740-539f-578b-8b62-16fb14b737ae@redhat.com> <0a22934b-caae-f960-24b0-7c52a7338cd5@redhat.com> Message-ID: <254974e1-aac9-9c5c-66f2-177ff7b65ddc@redhat.com> On 03/14/2017 08:42 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> On 03/14/2017 04:21 PM, Rob Crittenden wrote: >>> Standa Laznicka wrote: >>>> On 03/14/2017 03:14 PM, Martin Basti wrote: >>>>> On 14.03.2017 14:56, Luc de Louw wrote: >>>>>> My 3 cents... >>>>>> >>>>>> "Please note that FIPS 140-2 support may not work on some platforms" >>>>>> >>>>>> -> Does is work in Fedora? Should be worth mention it so people are >>>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Luc >>>>> We cannot guarantee that FIPS mode will work with fedora, any package >>>>> update may break it. >>>> Fedora itself is not capable of running in FIPS mode so there's no point >>>> adding it there. >>> I can't believe this is correct. Did you try it and it failed? Did you >>> file bugs? >> Yes, yes and no. Please see the header at this page: >> https://fedoraproject.org/wiki/FedoraCryptoConsolidation > Um, ok? What do shared certs and centralized crypto policies have to do > with FIPS not working in Fedora? It was the only document I found really mentioning FIPS by the time. There are no instructions how to set Fedora to FIPS mode so we used the RHEL guidelines and the boot failed but the instructions do not necessarily have to work for Fedora. >> We tried to set up Fedora for FIPS in RHEV but the machine would not >> even start. > Fedora 25 works for me in libvirt. > > crypto.fips_enabled is 1. > > It is enforcing it too, md5sum fails because FIPS is enabled. > > So if it isn't working for you then bugs are required. > > rob > >>> The dracut-fips and dracut-fips-aesni packages are both available. I will check dracut-fips on my earliest convenience, I did not notice it when we started working on FIPS for FreeIPA, thanks. >>> >>> # cat /etc/redhat-release >>> Fedora release 25 (Twenty Five) >>> # sysctl crypto.fips_enabled >>> crypto.fips_enabled = 0 >>> >>> So the basic stuff is there and the kernel knows what FIPS is. >>> >>> Any NSS-based application can enable FIPS-mode independently of the >>> kernel via modutil or application-specific settings (e.g. NSSFIPS in >>> mod_nss). >>> >>> rob >> From freeipa-github-notification at redhat.com Wed Mar 15 07:23:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 08:23:16 +0100 Subject: [Freeipa-devel] [freeipa PR#592][opened] slapi plugins: fix CFLAGS Message-ID: URL: https://github.com/freeipa/freeipa/pull/592 Author: HonzaCholasta Title: #592: slapi plugins: fix CFLAGS Action: opened PR body: """ Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is used. Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv. Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h includes nspr.h. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/592/head:pr592 git checkout pr592 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-592.patch Type: text/x-diff Size: 11942 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 07:29:57 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 15 Mar 2017 08:29:57 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1220 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 07:31:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 08:31:13 +0100 Subject: [Freeipa-devel] [freeipa PR#591][+ack] spec file: add unconditional python-setuptools BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Title: #591: spec file: add unconditional python-setuptools BuildRequires Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 07:38:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 08:38:38 +0100 Subject: [Freeipa-devel] [freeipa PR#591][comment] spec file: add unconditional python-setuptools BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Title: #591: spec file: add unconditional python-setuptools BuildRequires HonzaCholasta commented: """ master: * 7ef4e9eb810063243fcc575434d856c854b14eee spec file: add unconditional python-setuptools BuildRequires """ See the full comment at https://github.com/freeipa/freeipa/pull/591#issuecomment-286663917 From freeipa-github-notification at redhat.com Wed Mar 15 07:38:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 08:38:39 +0100 Subject: [Freeipa-devel] [freeipa PR#591][+pushed] spec file: add unconditional python-setuptools BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Title: #591: spec file: add unconditional python-setuptools BuildRequires Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 07:38:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 08:38:40 +0100 Subject: [Freeipa-devel] [freeipa PR#591][closed] spec file: add unconditional python-setuptools BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Author: HonzaCholasta Title: #591: spec file: add unconditional python-setuptools BuildRequires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/591/head:pr591 git checkout pr591 From freeipa-github-notification at redhat.com Wed Mar 15 07:41:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 08:41:57 +0100 Subject: [Freeipa-devel] [freeipa PR#593][opened] WIP: Add make patchcheck for developers Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: WIP: Add make patchcheck for developers Action: opened PR body: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 16345 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 07:49:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 08:49:23 +0100 Subject: [Freeipa-devel] [freeipa PR#594][opened] Fix Python 3 pylint errors Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Author: tiran Title: #594: Fix Python 3 pylint errors Action: opened PR body: """ ``` ************* Module ipaserver.install.ipa_kra_install ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse') ************* Module ipapython.install.core ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member) ************* Module ipatests.test_ipapython.test_dn ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals()) ************* Module ipa-ca-install install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) ``` Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/594/head:pr594 git checkout pr594 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-594.patch Type: text/x-diff Size: 3554 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 07:50:33 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 08:50:33 +0100 Subject: [Freeipa-devel] [freeipa PR#595][opened] idviews: correctly handle modification of non-existent view Message-ID: URL: https://github.com/freeipa/freeipa/pull/595 Author: martbab Title: #595: idviews: correctly handle modification of non-existent view Action: opened PR body: """ the pre-callback in `idview-mod` did not correctly handle non-existent object during objectclass check. It will now correctly report that the object was not found instead on generic 'no such entry'. https://pagure.io/freeipa/issue/6372 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/595/head:pr595 git checkout pr595 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-595.patch Type: text/x-diff Size: 1687 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 07:50:45 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 08:50:45 +0100 Subject: [Freeipa-devel] [freeipa PR#593][comment] WIP: Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: WIP: Add make patchcheck for developers tiran commented: """ Depends on PRs #475, #587, #594 """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-286665946 From freeipa-github-notification at redhat.com Wed Mar 15 07:52:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 08:52:30 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ PR #593 addresses @lslebodn concerns and provides a superior solution for local pre-commit checking. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286666273 From mbabinsk at redhat.com Wed Mar 15 07:59:54 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Mar 2017 08:59:54 +0100 Subject: [Freeipa-devel] Temporary breakage of Travis CI Message-ID: <20170315075954.GB22971@dhcp129-180.brq.redhat.com> Hi list, A premature push of https://github.com/freeipa/freeipa/pull/573 caused two failures to pop up in Travis CI job on your pull-requests. I have prepared https://github.com/freeipa/freeipa/pull/595 to amend this issue. Let's wait if it produces green Travis run and then push it ASAP. -- Martin Babinsky From freeipa-github-notification at redhat.com Wed Mar 15 08:03:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Mar 2017 09:03:25 +0100 Subject: [Freeipa-devel] [freeipa PR#589][comment] ipaplatform/debian/paths: Add some missing values. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Title: #589: ipaplatform/debian/paths: Add some missing values. stlaz commented: """ Good, I thought the release would bring more changes. Thank you for the patch! """ See the full comment at https://github.com/freeipa/freeipa/pull/589#issuecomment-286668086 From freeipa-github-notification at redhat.com Wed Mar 15 08:03:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Mar 2017 09:03:29 +0100 Subject: [Freeipa-devel] [freeipa PR#589][+ack] ipaplatform/debian/paths: Add some missing values. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Title: #589: ipaplatform/debian/paths: Add some missing values. Label: +ack From mbasti at redhat.com Wed Mar 15 08:13:35 2017 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Mar 2017 09:13:35 +0100 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: <20170314234914.GO10261@dhcp-40-8.bne.redhat.com> References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314234914.GO10261@dhcp-40-8.bne.redhat.com> Message-ID: On 15.03.2017 00:49, Fraser Tweedale wrote: > On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: >> Hello, >> >> DRAFT for FreeIPA 4.5.0 release notes is ready >> http://www.freeipa.org/page/Releases/4.5.0 >> >> Please update/let me know what is missing, what is extra. >> >> >> Martin^2 >> > I think we should add https://pagure.io/freeipa/issue/2614 to the > `Enhancements' section. There is no design page for it but it was a > big effort and it gives the deployer complete control over the IPA > CA subject DN (previously this was very restricted). > > Thanks, > Fraser Can you suggest what to write to release notes (preferably in copy paste form) thank you :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Wed Mar 15 08:14:24 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:14:24 +0100 Subject: [Freeipa-devel] [freeipa PR#596][opened] spec file: support client-only build Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: opened PR body: """ nspr-devel, nss-devel and openssl-devel are required for client-only build, move their respective BuildRequires from the server-specific BuildRequires section to the main BuildRequires section. Pass --enable-server or --disable-server to ./configure based on the value of %{ONLY_CLIENT}. Remove the `make client-check` call from %check, as the client-check target does not exist anymore. Always call `make check` instead. Do not package the /usr/share/ipa directory in freeipa-client-common, as it is not created in client-only build. https://pagure.io/freeipa/issue/6517 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 3232 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 08:19:37 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 09:19:37 +0100 Subject: [Freeipa-devel] [freeipa PR#592][+ack] slapi plugins: fix CFLAGS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/592 Title: #592: slapi plugins: fix CFLAGS Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 08:37:32 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:37:32 +0100 Subject: [Freeipa-devel] [freeipa PR#597][opened] spec file: support build without ipatests Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Author: HonzaCholasta Title: #597: spec file: support build without ipatests Action: opened PR body: """ Build ipatests only if %with_ipatests RPM macro is specified. By default the macro is specified if ONLY_CLIENT is not specified. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/597/head:pr597 git checkout pr597 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-597.patch Type: text/x-diff Size: 4013 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 08:41:03 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 09:41:03 +0100 Subject: [Freeipa-devel] [freeipa PR#588][+ack] CONFIGURE: Properly detect libpopt on el7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/588 Title: #588: CONFIGURE: Properly detect libpopt on el7 Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 08:47:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:47:54 +0100 Subject: [Freeipa-devel] [freeipa PR#595][+ack] idviews: correctly handle modification of non-existent view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/595 Title: #595: idviews: correctly handle modification of non-existent view Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 08:48:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:48:39 +0100 Subject: [Freeipa-devel] [freeipa PR#595][comment] idviews: correctly handle modification of non-existent view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/595 Title: #595: idviews: correctly handle modification of non-existent view MartinBasti commented: """ master: * 1cdd5dee006426c996f67240b6cb2c1aa05e5168 idviews: correctly handle modification of non-existent view """ See the full comment at https://github.com/freeipa/freeipa/pull/595#issuecomment-286677087 From freeipa-github-notification at redhat.com Wed Mar 15 08:48:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:48:40 +0100 Subject: [Freeipa-devel] [freeipa PR#595][+pushed] idviews: correctly handle modification of non-existent view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/595 Title: #595: idviews: correctly handle modification of non-existent view Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 08:48:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:48:42 +0100 Subject: [Freeipa-devel] [freeipa PR#595][closed] idviews: correctly handle modification of non-existent view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/595 Author: martbab Title: #595: idviews: correctly handle modification of non-existent view Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/595/head:pr595 git checkout pr595 From freeipa-github-notification at redhat.com Wed Mar 15 08:49:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:08 +0100 Subject: [Freeipa-devel] [freeipa PR#592][+pushed] slapi plugins: fix CFLAGS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/592 Title: #592: slapi plugins: fix CFLAGS Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 08:49:10 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:10 +0100 Subject: [Freeipa-devel] [freeipa PR#592][comment] slapi plugins: fix CFLAGS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/592 Title: #592: slapi plugins: fix CFLAGS HonzaCholasta commented: """ master: * b7329e31f5c985b9721e3a21b1cd1bec6430129d slapi plugins: fix CFLAGS """ See the full comment at https://github.com/freeipa/freeipa/pull/592#issuecomment-286677194 From freeipa-github-notification at redhat.com Wed Mar 15 08:49:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:11 +0100 Subject: [Freeipa-devel] [freeipa PR#592][closed] slapi plugins: fix CFLAGS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/592 Author: HonzaCholasta Title: #592: slapi plugins: fix CFLAGS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/592/head:pr592 git checkout pr592 From freeipa-github-notification at redhat.com Wed Mar 15 08:49:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:41 +0100 Subject: [Freeipa-devel] [freeipa PR#588][+pushed] CONFIGURE: Properly detect libpopt on el7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/588 Title: #588: CONFIGURE: Properly detect libpopt on el7 Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 08:49:43 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:43 +0100 Subject: [Freeipa-devel] [freeipa PR#588][comment] CONFIGURE: Properly detect libpopt on el7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/588 Title: #588: CONFIGURE: Properly detect libpopt on el7 HonzaCholasta commented: """ master: * 4fe9166ac9f9a100d69ce37f19ae1ae971bb2ce1 CONFIGURE: Properly detect libpopt on el7 """ See the full comment at https://github.com/freeipa/freeipa/pull/588#issuecomment-286677301 From freeipa-github-notification at redhat.com Wed Mar 15 08:49:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 09:49:44 +0100 Subject: [Freeipa-devel] [freeipa PR#588][closed] CONFIGURE: Properly detect libpopt on el7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/588 Author: HonzaCholasta Title: #588: CONFIGURE: Properly detect libpopt on el7 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/588/head:pr588 git checkout pr588 From freeipa-github-notification at redhat.com Wed Mar 15 08:53:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:53:32 +0100 Subject: [Freeipa-devel] [freeipa PR#589][comment] ipaplatform/debian/paths: Add some missing values. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Title: #589: ipaplatform/debian/paths: Add some missing values. MartinBasti commented: """ master: * e20ad9c251d9118959e501cd49997662de8cdbfc ipaplatform/debian/paths: Add some missing values. """ See the full comment at https://github.com/freeipa/freeipa/pull/589#issuecomment-286678162 From freeipa-github-notification at redhat.com Wed Mar 15 08:53:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:53:34 +0100 Subject: [Freeipa-devel] [freeipa PR#589][+pushed] ipaplatform/debian/paths: Add some missing values. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Title: #589: ipaplatform/debian/paths: Add some missing values. Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 08:53:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 09:53:35 +0100 Subject: [Freeipa-devel] [freeipa PR#589][closed] ipaplatform/debian/paths: Add some missing values. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/589 Author: tjaalton Title: #589: ipaplatform/debian/paths: Add some missing values. Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/589/head:pr589 git checkout pr589 From freeipa-github-notification at redhat.com Wed Mar 15 09:03:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 10:03:27 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 3236 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 09:14:08 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 10:14:08 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build lslebodn commented: """ You can also move few dependencies to server only build ``` BuildRequires: libini_config-devel BuildRequires: cyrus-sasl-devel ``` Check spec file changes in **rejected** PR https://github.com/freeipa/freeipa/pull/494/files otherwise LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286683090 From freeipa-github-notification at redhat.com Wed Mar 15 09:23:19 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 15 Mar 2017 10:23:19 +0100 Subject: [Freeipa-devel] [freeipa PR#502][+ack] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 09:23:29 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 10:23:29 +0100 Subject: [Freeipa-devel] [freeipa PR#591][comment] spec file: add unconditional python-setuptools BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/591 Title: #591: spec file: add unconditional python-setuptools BuildRequires lslebodn commented: """ Post push comment. This is a reason why there was configure time check in **rejected** PR#494. Spec file change is not very upstream friendly. https://github.com/freeipa/freeipa/pull/494/commits/a1321abbdb2cf510e0f36c65d2af0fb6329d2e23 """ See the full comment at https://github.com/freeipa/freeipa/pull/591#issuecomment-286685603 From freeipa-github-notification at redhat.com Wed Mar 15 09:32:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 10:32:27 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build HonzaCholasta commented: """ I can't, both are required to build client components (`ipa-getkeytab` specifically), moving them to the server section would break client-only RPM build. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286687860 From freeipa-github-notification at redhat.com Wed Mar 15 09:32:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 10:32:32 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build tiran commented: """ ```ipa-getkeytab``` uses ```libini_config``` and ```libsasl2```. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286687873 From freeipa-github-notification at redhat.com Wed Mar 15 09:33:14 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Mar 2017 10:33:14 +0100 Subject: [Freeipa-devel] [freeipa PR#560][+ack] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 09:33:25 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Mar 2017 10:33:25 +0100 Subject: [Freeipa-devel] [freeipa PR#560][comment] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully flo-renaud commented: """ Hi, the invalid cert login correctly returns 401. """ See the full comment at https://github.com/freeipa/freeipa/pull/560#issuecomment-286688068 From freeipa-github-notification at redhat.com Wed Mar 15 09:35:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 10:35:11 +0100 Subject: [Freeipa-devel] [freeipa PR#560][+pushed] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 09:35:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 10:35:12 +0100 Subject: [Freeipa-devel] [freeipa PR#560][closed] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Author: dkupka Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/560/head:pr560 git checkout pr560 From freeipa-github-notification at redhat.com Wed Mar 15 09:35:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 10:35:14 +0100 Subject: [Freeipa-devel] [freeipa PR#560][comment] rpcserver: x509_login: Handle unsuccessful certificate login gracefully In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/560 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login gracefully MartinBasti commented: """ master: * 70889d4d5e7e2bd65ab1d4a28e5eda4a51c9b0c0 rpcserver: x509_login: Handle unsuccessful certificate login gracefully """ See the full comment at https://github.com/freeipa/freeipa/pull/560#issuecomment-286688582 From freeipa-github-notification at redhat.com Wed Mar 15 09:49:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 10:49:16 +0100 Subject: [Freeipa-devel] [freeipa PR#598][opened] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Author: tiran Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb Action: opened PR body: """ Debian packages should be installed under dist-packages, not site-packages. Debian has patched distutils and setuptools to add a new flag '--install-layout'. For --with-ipaplatform=debian, PYTHON_INSTALL_EXTRA_OPTIONS is set to '--install-layout=deb'. https://pagure.io/freeipa/issue/6764 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/598/head:pr598 git checkout pr598 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-598.patch Type: text/x-diff Size: 1881 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 09:51:17 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 10:51:17 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build pvomacka commented: """ Client only build does not work on Fedora. So NACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286692657 From freeipa-github-notification at redhat.com Wed Mar 15 09:56:44 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 10:56:44 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build lslebodn commented: """ On (15/03/17 02:32), Jan Cholasta wrote: >I can't, both are required to build client components (`ipa-getkeytab` specifically), moving them to the server section would break client-only RPM build. > Sorry for confusion. I misinterpreted changes in diff. The real change was moving following part to server only build ``` # %{_unitdir}, %{_tmpfilesdir} BuildRequires: systemd # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd ``` But git diff decided to show moving of other lines LS """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286694086 From freeipa-github-notification at redhat.com Wed Mar 15 10:14:36 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 11:14:36 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request Akasurde commented: """ @HonzaCholasta Thanks I will use `no_option` flag and update PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-286698411 From freeipa-github-notification at redhat.com Wed Mar 15 10:26:12 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 11:26:12 +0100 Subject: [Freeipa-devel] [freeipa PR#480][synchronized] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Add request_type doc string in cert-request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/480/head:pr480 git checkout pr480 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-480.patch Type: text/x-diff Size: 1001 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 10:31:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 11:31:18 +0100 Subject: [Freeipa-devel] [freeipa PR#594][synchronized] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Author: tiran Title: #594: Fix Python 3 pylint errors Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/594/head:pr594 git checkout pr594 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-594.patch Type: text/x-diff Size: 3818 bytes Desc: not available URL: From ftweedal at redhat.com Wed Mar 15 10:32:32 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Mar 2017 20:32:32 +1000 Subject: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0 In-Reply-To: References: <00f32121-912b-14d2-6810-c06f06d97d97@redhat.com> <20170314234914.GO10261@dhcp-40-8.bne.redhat.com> Message-ID: <20170315103232.GP10261@dhcp-40-8.bne.redhat.com> On Wed, Mar 15, 2017 at 09:13:35AM +0100, Martin Basti wrote: > > > On 15.03.2017 00:49, Fraser Tweedale wrote: > > On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: > >> Hello, > >> > >> DRAFT for FreeIPA 4.5.0 release notes is ready > >> http://www.freeipa.org/page/Releases/4.5.0 > >> > >> Please update/let me know what is missing, what is extra. > >> > >> > >> Martin^2 > >> > > I think we should add https://pagure.io/freeipa/issue/2614 to the > > `Enhancements' section. There is no design page for it but it was a > > big effort and it gives the deployer complete control over the IPA > > CA subject DN (previously this was very restricted). > > > > Thanks, > > Fraser > > Can you suggest what to write to release notes (preferably in copy paste > form) > > thank you :) > Here you go: == Fully customisable CA name == The CA subject name is now fully customisable, and is no longer required to be related to the certificate subject base. The *ipa-server-install* and *ipa-ca-install* commands learned the *--ca-subject* and *--subject-base* options for configuring these values. https://pagure.io/freeipa/issue/2614 Cheers, Fraser From freeipa-github-notification at redhat.com Wed Mar 15 10:49:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 11:49:47 +0100 Subject: [Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 12759 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 10:50:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 11:50:01 +0100 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] WIP: Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: WIP: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 16345 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 10:50:19 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 11:50:19 +0100 Subject: [Freeipa-devel] [freeipa PR#594][synchronized] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Author: tiran Title: #594: Fix Python 3 pylint errors Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/594/head:pr594 git checkout pr594 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-594.patch Type: text/x-diff Size: 3818 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 10:51:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 11:51:18 +0100 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 7349 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 10:59:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 11:59:02 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 3800 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:05:24 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 12:05:24 +0100 Subject: [Freeipa-devel] [freeipa PR#590][synchronized] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Author: Akasurde Title: #590: Validate user input for cert-get-requestdata Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/590/head:pr590 git checkout pr590 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-590.patch Type: text/x-diff Size: 1581 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:07:05 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 12:07:05 +0100 Subject: [Freeipa-devel] [freeipa PR#594][synchronized] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Author: tiran Title: #594: Fix Python 3 pylint errors Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/594/head:pr594 git checkout pr594 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-594.patch Type: text/x-diff Size: 3755 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:08:37 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 12:08:37 +0100 Subject: [Freeipa-devel] [freeipa PR#480][synchronized] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Add request_type doc string in cert-request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/480/head:pr480 git checkout pr480 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-480.patch Type: text/x-diff Size: 1035 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:09:00 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 12:09:00 +0100 Subject: [Freeipa-devel] [freeipa PR#480][edited] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Hide request_type doc string in cert-request help Action: edited Changed field: title Original value: """ Add request_type doc string in cert-request """ From freeipa-github-notification at redhat.com Wed Mar 15 11:09:18 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 12:09:18 +0100 Subject: [Freeipa-devel] [freeipa PR#480][edited] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Hide request_type doc string in cert-request help Action: edited Changed field: body Original value: """ Fix adds correct description to request_type argument in cert-request command help Fixes https://fedorahosted.org/freeipa/ticket/6494 Signed-off-by: Abhijeet Kasurde """ From freeipa-github-notification at redhat.com Wed Mar 15 11:30:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 12:30:42 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 7690 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:31:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 12:31:15 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build HonzaCholasta commented: """ This PR now depends on PR #597. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286715408 From freeipa-github-notification at redhat.com Wed Mar 15 11:32:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 12:32:04 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 7728 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:42:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 12:42:56 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 7744 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:43:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 12:43:23 +0100 Subject: [Freeipa-devel] [freeipa PR#597][synchronized] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Author: HonzaCholasta Title: #597: spec file: support build without ipatests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/597/head:pr597 git checkout pr597 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-597.patch Type: text/x-diff Size: 4076 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 11:44:53 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 12:44:53 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ >PR #593 is not related to default yes; It is about something else. Current version does not fix concerns; because default should be yes as it was discussed in https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html I looks like upstream discussion is useless. And nobody cares about other distributions then them fedora/rhel which can parse recommendation form upstream spec file. I am really disappointed from such upstream unfriendly approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286718251 From freeipa-github-notification at redhat.com Wed Mar 15 11:48:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 12:48:53 +0100 Subject: [Freeipa-devel] [freeipa PR#598][comment] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb MartinBasti commented: """ @tjaalton could you please check this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/598#issuecomment-286719071 From freeipa-github-notification at redhat.com Wed Mar 15 11:52:55 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 12:52:55 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ > This PR makes packaging IPA 4.5 on RHEL 7 easier for me, so thumbs up from me. I understand it is more convenient to have less extra configure options in rhel; But it was discussed on upstream mailing list and better error messages would give such hints to everyone. https://www.redhat.com/archives/freeipa-devel/2017-March/msg00308.html @HonzaCholasta it would be good if you add comment also to upstream discussion; if you prefer autodetection. It would be good if result of discussion is the same as pushed patch. https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html Current version will not persuade other distributions(debian; openSUSE) to run pylint as part of build. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286719902 From freeipa-github-notification at redhat.com Wed Mar 15 11:53:06 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 12:53:06 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ > This PR makes packaging IPA 4.5 on RHEL 7 easier for me, so thumbs up from me. I understand it is more convenient to have less extra configure options in rhel; But it was discussed on upstream mailing list and better error messages would give such hints to everyone. https://www.redhat.com/archives/freeipa-devel/2017-March/msg00308.html @HonzaCholasta it would be good if you add comment also to upstream discussion; if you prefer autodetection. It would be good if result of discussion is the same as pushed patch. https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html Current version will not persuade other distributions(debian; openSUSE) to run pylint as part of build. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286719902 From freeipa-github-notification at redhat.com Wed Mar 15 11:53:53 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 12:53:53 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ >PR #593 is not related to default yes; It is about something else. Current version does not fix concerns; because default should be yes as it was discussed in https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html I looks like upstream discussion is useless. And nobody cares about other distributions then them fedora/rhel which can parse recommendation form upstream spec file. I am really disappointed from such upstream unfriendly approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286718251 From freeipa-github-notification at redhat.com Wed Mar 15 11:56:10 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 12:56:10 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build pvomacka commented: """ @HonzaCholasta Thank you for update - only client build on Fedora now works. So ACK once the travis pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286720580 From freeipa-github-notification at redhat.com Wed Mar 15 11:57:23 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 12:57:23 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ >PR #593 is not related to default yes; It is about something else. Current version does not fix concerns; because default should be yes as it was discussed in https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html I looks like upstream discussion is useless. And nobody cares about other distributions then fedora/rhel which can parse recommendation form upstream spec file. I am really disappointed from such upstream unfriendly approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286718251 From freeipa-github-notification at redhat.com Wed Mar 15 12:02:20 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:02:20 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (14/03/17 16:05), Christian Heimes wrote: >https://github.com/freeipa/freeipa/pull/502#issue-209980292 > >two thumbs up, one heart, no thumbs down > My naive assumption was that discussion about apprach was moved to freipa-devel. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286721796 From freeipa-github-notification at redhat.com Wed Mar 15 12:17:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:17:04 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional HonzaCholasta commented: """ @lslebodn, nobody said that this has to be the last lint build related patch ever, we can change the behavior later, even on top of this PR. I would rather push this now and continue the discussion / submit additional PRs after 4.5 is released. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286724681 From freeipa-github-notification at redhat.com Wed Mar 15 12:25:50 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:25:50 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (15/03/17 05:17), Jan Cholasta wrote: >@lslebodn, nobody said that this has to be the last lint build related patch ever, we can change the behavior later, even on top of this PR. I would rather push this now and continue the discussion / submit additional PRs after 4.5 is released. > But it would be good to have patch/approach in **official release** which was result of upstream discussion. Does it mean that I should improve error messages myself? LS """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286726459 From freeipa-github-notification at redhat.com Wed Mar 15 12:31:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:31:27 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional HonzaCholasta commented: """ 4.5.1 will be an official release too. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286727609 From freeipa-github-notification at redhat.com Wed Mar 15 12:32:12 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 13:32:12 +0100 Subject: [Freeipa-devel] [freeipa PR#598][comment] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb tjaalton commented: """ Yep, works great, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/598#issuecomment-286727748 From freeipa-github-notification at redhat.com Wed Mar 15 12:32:50 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 15 Mar 2017 13:32:50 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ There was no result in the upstream discussion. My personal opinion is that one way or the other can work. They are for different use cases. I tend to prefer the "be easier for developer" approach. That said, preferred method for downstreams needs to be documented ideally in BUILD.txt. In any case spending so much time discussing so minor change is a waste of time. I'd push it. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286727867 From freeipa-github-notification at redhat.com Wed Mar 15 12:34:26 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 13:34:26 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build pvomacka commented: """ ipa server build without tests does not work, so NACK """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286728170 From freeipa-github-notification at redhat.com Wed Mar 15 12:35:27 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 13:35:27 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional tiran commented: """ @pvoborni For the use case "easy for developers" the ```make lint``` target is not sufficient. It tests only a small subset and doesn't check Python 3 issues. PR #593 provides a better alternative for a pre-commit patch check that takes care of linting on Python 2 and 3 plus additional checks. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286728373 From freeipa-github-notification at redhat.com Wed Mar 15 12:36:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 13:36:28 +0100 Subject: [Freeipa-devel] [freeipa PR#598][+ack] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 12:37:06 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:37:06 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional lslebodn commented: """ On (15/03/17 05:32), Petr Vobornik wrote: >In any case spending so much time discussing so minor change is a waste of time. I'd push it. > Will you accept patch whith improves error messages? I can send it in few minutes; I do not want to creat PR which will be rejected. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286728710 From freeipa-github-notification at redhat.com Wed Mar 15 12:38:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:38:03 +0100 Subject: [Freeipa-devel] [freeipa PR#502][+pushed] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 12:38:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:38:05 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional HonzaCholasta commented: """ master: * f1f63506caf88e4d86ea2bfdc7d25eceaf689bc5 Make pylint and jsl optional """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286728890 From freeipa-github-notification at redhat.com Wed Mar 15 12:38:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:38:07 +0100 Subject: [Freeipa-devel] [freeipa PR#502][closed] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 From freeipa-github-notification at redhat.com Wed Mar 15 12:38:59 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 15 Mar 2017 13:38:59 +0100 Subject: [Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ If it improves messages then I assume so provided that in won't be controversial in other aspects. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286729103 From freeipa-github-notification at redhat.com Wed Mar 15 12:39:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:39:50 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 7652 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 12:40:14 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:40:14 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build HonzaCholasta commented: """ Now that PR #502 was pushed this should finally work. """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286729368 From freeipa-github-notification at redhat.com Wed Mar 15 12:41:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 13:41:17 +0100 Subject: [Freeipa-devel] [freeipa PR#597][synchronized] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Author: HonzaCholasta Title: #597: spec file: support build without ipatests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/597/head:pr597 git checkout pr597 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-597.patch Type: text/x-diff Size: 4087 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 12:42:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 13:42:49 +0100 Subject: [Freeipa-devel] [freeipa PR#594][comment] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors tiran commented: """ @stlaz I fixed the problem with shadowed builtin type ```type```. """ See the full comment at https://github.com/freeipa/freeipa/pull/594#issuecomment-286729958 From freeipa-github-notification at redhat.com Wed Mar 15 12:47:53 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:47:53 +0100 Subject: [Freeipa-devel] [freeipa PR#599][opened] CONFIGURE: Improve error messages for optional dependencies Message-ID: URL: https://github.com/freeipa/freeipa/pull/599 Author: lslebodn Title: #599: CONFIGURE: Improve error messages for optional dependencies Action: opened PR body: """ https://www.redhat.com/archives/freeipa-devel/2017-March/msg00307.html """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/599/head:pr599 git checkout pr599 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-599.patch Type: text/x-diff Size: 3411 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 12:48:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 13:48:47 +0100 Subject: [Freeipa-devel] [freeipa PR#598][+pushed] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 12:48:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 13:48:48 +0100 Subject: [Freeipa-devel] [freeipa PR#598][closed] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Author: tiran Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/598/head:pr598 git checkout pr598 From freeipa-github-notification at redhat.com Wed Mar 15 12:48:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 13:48:49 +0100 Subject: [Freeipa-devel] [freeipa PR#598][comment] Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/598 Title: #598: Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb MartinBasti commented: """ master: * b280c7bb0192485dfb622c731e31deb89d517b6f Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb """ See the full comment at https://github.com/freeipa/freeipa/pull/598#issuecomment-286731262 From freeipa-github-notification at redhat.com Wed Mar 15 12:53:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 13:53:35 +0100 Subject: [Freeipa-devel] [freeipa PR#599][comment] CONFIGURE: Improve error messages for optional dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/599 Title: #599: CONFIGURE: Improve error messages for optional dependencies tiran commented: """ NACK, you are changing the spirit of the accepted PR #502. """ See the full comment at https://github.com/freeipa/freeipa/pull/599#issuecomment-286732300 From freeipa-github-notification at redhat.com Wed Mar 15 12:55:32 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:55:32 +0100 Subject: [Freeipa-devel] [freeipa PR#599][synchronized] CONFIGURE: Improve error messages for optional dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/599 Author: lslebodn Title: #599: CONFIGURE: Improve error messages for optional dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/599/head:pr599 git checkout pr599 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-599.patch Type: text/x-diff Size: 2968 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 12:57:01 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:57:01 +0100 Subject: [Freeipa-devel] [freeipa PR#600][opened] CONFIGURE: Improve detection of xmlrpc_c flags Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Author: lslebodn Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags Action: opened PR body: """ The pkg-config files for xmlrpc_c libraries are shipped just in fedora/rhel due to downstream patch. Debian does not have pkg-config files for xmlrpc_c. Therefore we need to fallback to older method of detection XMLRPC_*FLAGS which was reverted by the commit 1e0143c159134337a00a91d4ae64e614f72da62e """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/600/head:pr600 git checkout pr600 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-600.patch Type: text/x-diff Size: 1686 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 12:57:39 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 13:57:39 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags lslebodn commented: """ @tjaalton It should simplify you work on debian """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286733233 From freeipa-github-notification at redhat.com Wed Mar 15 13:05:12 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 14:05:12 +0100 Subject: [Freeipa-devel] [freeipa PR#599][comment] CONFIGURE: Improve error messages for optional dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/599 Title: #599: CONFIGURE: Improve error messages for optional dependencies lslebodn commented: """ >NACK, you are changing the spirit of the accepted PR #502. The approach PR #502 was not accepted in upstream discussion https://www.redhat.com/archives/freeipa-devel/2017-March/msg00307.html and moreover @HonzaCholasta was not against in PR #502 https://github.com/freeipa/freeipa/pull/502#issuecomment-286724681 """ See the full comment at https://github.com/freeipa/freeipa/pull/599#issuecomment-286735020 From freeipa-github-notification at redhat.com Wed Mar 15 13:08:53 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 15 Mar 2017 14:08:53 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags abbra commented: """ LGTM. Falling back to a standard check is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286735880 From freeipa-github-notification at redhat.com Wed Mar 15 13:19:05 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 14:19:05 +0100 Subject: [Freeipa-devel] [freeipa PR#599][comment] CONFIGURE: Improve error messages for optional dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/599 Title: #599: CONFIGURE: Improve error messages for optional dependencies lslebodn commented: """ @tiran one more time: The approach in PR #502 was not accepted in upstream discussion https://www.redhat.com/archives/freeipa-devel/2017-March/msg00307.html """ See the full comment at https://github.com/freeipa/freeipa/pull/599#issuecomment-286738321 From freeipa-github-notification at redhat.com Wed Mar 15 13:28:01 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 15 Mar 2017 14:28:01 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata rcritten commented: """ You are duplicating the list of helpers. It would have been better to have helper defined as a StrEnum. If it isn't too late to change (e.g. no release has shipped with that in the API) then perhaps a separate patch, then you wouldn't need this enforcement at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286740595 From freeipa-github-notification at redhat.com Wed Mar 15 13:29:02 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 14:29:02 +0100 Subject: [Freeipa-devel] [freeipa PR#596][+ack] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 13:29:21 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 14:29:21 +0100 Subject: [Freeipa-devel] [freeipa PR#597][+ack] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Title: #597: spec file: support build without ipatests Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 13:33:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:33:51 +0100 Subject: [Freeipa-devel] [freeipa PR#597][+pushed] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Title: #597: spec file: support build without ipatests Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 13:33:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:33:53 +0100 Subject: [Freeipa-devel] [freeipa PR#597][comment] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Title: #597: spec file: support build without ipatests HonzaCholasta commented: """ master: * e42a846506ee7ad5e8a395da154bec64f6be3654 spec file: support build without ipatests """ See the full comment at https://github.com/freeipa/freeipa/pull/597#issuecomment-286742217 From freeipa-github-notification at redhat.com Wed Mar 15 13:33:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:33:54 +0100 Subject: [Freeipa-devel] [freeipa PR#597][closed] spec file: support build without ipatests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/597 Author: HonzaCholasta Title: #597: spec file: support build without ipatests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/597/head:pr597 git checkout pr597 From freeipa-github-notification at redhat.com Wed Mar 15 13:35:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:35:46 +0100 Subject: [Freeipa-devel] [freeipa PR#596][synchronized] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-596.patch Type: text/x-diff Size: 3556 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 13:36:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:36:15 +0100 Subject: [Freeipa-devel] [freeipa PR#596][+pushed] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 13:36:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:36:16 +0100 Subject: [Freeipa-devel] [freeipa PR#596][comment] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build HonzaCholasta commented: """ master: * 417f1926c48b426b34b18edb28869f4f06824873 spec file: support client-only build """ See the full comment at https://github.com/freeipa/freeipa/pull/596#issuecomment-286742894 From freeipa-github-notification at redhat.com Wed Mar 15 13:36:18 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:36:18 +0100 Subject: [Freeipa-devel] [freeipa PR#596][closed] spec file: support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/596 Author: HonzaCholasta Title: #596: spec file: support client-only build Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/596/head:pr596 git checkout pr596 From freeipa-github-notification at redhat.com Wed Mar 15 13:36:28 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 14:36:28 +0100 Subject: [Freeipa-devel] [freeipa PR#601][opened] spec file: always provide python package aliases Message-ID: URL: https://github.com/freeipa/freeipa/pull/601 Author: HonzaCholasta Title: #601: spec file: always provide python package aliases Action: opened PR body: """ Provide python-ipa* aliases for python2-ipa* subpackages when the python_provide RPM macro is not available. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/601/head:pr601 git checkout pr601 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-601.patch Type: text/x-diff Size: 2389 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 13:39:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 15 Mar 2017 14:39:04 +0100 Subject: [Freeipa-devel] [freeipa PR#594][+ack] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 13:42:29 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 14:42:29 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata Akasurde commented: """ @rcritten I don't know about backward compatibility of changing helper to StrEnum. @MartinBasti @HonzaCholasta Can you please comment on this? """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286744568 From freeipa-github-notification at redhat.com Wed Mar 15 13:53:13 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Mar 2017 14:53:13 +0100 Subject: [Freeipa-devel] [freeipa PR#601][+ack] spec file: always provide python package aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/601 Title: #601: spec file: always provide python package aliases Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 13:59:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 14:59:10 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata MartinBasti commented: """ I have no context about how exactly certrequest is supposed to work, but IMO it was done in that way to allow dynamically adding more helpers as plugins, that's why it is Str and not SrEnum, but code doesn't look it may support that. @LiptonB do you remember why Str param was used? @Akasurde Right now there is no backward compatibility because 4.5 will be first release that contains this feature. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286749282 From freeipa-github-notification at redhat.com Wed Mar 15 14:08:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 15:08:05 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags MartinBasti commented: """ Could you add ticket to commit message please https://fedorahosted.org/freeipa/ticket/6418 """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286752024 From freeipa-github-notification at redhat.com Wed Mar 15 14:22:43 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 15:22:43 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tjaalton commented: """ +ack on the xmlrpc-c detection patch at least, I need that on Debian """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-286756541 From freeipa-github-notification at redhat.com Wed Mar 15 14:25:02 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 15:25:02 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags tjaalton commented: """ yes, I just added a comment on the old PR, I need this on Debian, so +1 from me """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286757315 From freeipa-github-notification at redhat.com Wed Mar 15 14:27:08 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 15:27:08 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tjaalton commented: """ sorry, I just saw PR#600 which is a subset of this """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-286758047 From freeipa-github-notification at redhat.com Wed Mar 15 14:29:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 15:29:57 +0100 Subject: [Freeipa-devel] [freeipa PR#601][comment] spec file: always provide python package aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/601 Title: #601: spec file: always provide python package aliases HonzaCholasta commented: """ master: * 990ce9eef314622440b2036742bbf34f57ba2699 spec file: always provide python package aliases """ See the full comment at https://github.com/freeipa/freeipa/pull/601#issuecomment-286758926 From freeipa-github-notification at redhat.com Wed Mar 15 14:29:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 15:29:58 +0100 Subject: [Freeipa-devel] [freeipa PR#601][+pushed] spec file: always provide python package aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/601 Title: #601: spec file: always provide python package aliases Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 14:30:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Mar 2017 15:30:00 +0100 Subject: [Freeipa-devel] [freeipa PR#601][closed] spec file: always provide python package aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/601 Author: HonzaCholasta Title: #601: spec file: always provide python package aliases Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/601/head:pr601 git checkout pr601 From freeipa-github-notification at redhat.com Wed Mar 15 14:45:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 15:45:14 +0100 Subject: [Freeipa-devel] [freeipa PR#584][synchronized] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Author: martbab Title: #584: Improve the implementation of PKINIT certificate retrieval Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/584/head:pr584 git checkout pr584 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-584.patch Type: text/x-diff Size: 16828 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 14:46:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 15:46:22 +0100 Subject: [Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval martbab commented: """ I have reworked the PR quite a bit and added/changed a few checks due to replication race conditions affecting PKINIT requests from replica to master. """ See the full comment at https://github.com/freeipa/freeipa/pull/584#issuecomment-286764259 From freeipa-github-notification at redhat.com Wed Mar 15 14:49:05 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 15:49:05 +0100 Subject: [Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ Superseded by https://github.com/freeipa/freeipa/pull/584 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286765122 From freeipa-github-notification at redhat.com Wed Mar 15 14:49:06 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 15:49:06 +0100 Subject: [Freeipa-devel] [freeipa PR#567][closed] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567 From freeipa-github-notification at redhat.com Wed Mar 15 14:49:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Mar 2017 15:49:14 +0100 Subject: [Freeipa-devel] [freeipa PR#567][+rejected] Configure KDC to use certs after they are deployed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 15 14:50:37 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 15:50:37 +0100 Subject: [Freeipa-devel] [freeipa PR#602][opened] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Author: tjaalton Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Action: opened PR body: """ These are platform specific, add values for Debian and default values for Fedora/RHEL. Also, use prettier output when checking the extra python install options. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/602/head:pr602 git checkout pr602 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-602.patch Type: text/x-diff Size: 3392 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 15:09:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:09:52 +0100 Subject: [Freeipa-devel] [freeipa PR#582][+ack] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 15:14:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:14:58 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags MartinBasti commented: """ Commit message amended before pushed """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286773684 From freeipa-github-notification at redhat.com Wed Mar 15 15:15:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:15:02 +0100 Subject: [Freeipa-devel] [freeipa PR#600][+ack] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 15:15:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:15:03 +0100 Subject: [Freeipa-devel] [freeipa PR#600][+pushed] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 15:15:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:15:13 +0100 Subject: [Freeipa-devel] [freeipa PR#600][closed] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Author: lslebodn Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/600/head:pr600 git checkout pr600 From freeipa-github-notification at redhat.com Wed Mar 15 15:15:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:15:15 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags MartinBasti commented: """ master: * 2a4f7f2cfaf6ac5ffaf4cc2b43fa0e9b5fa3ebe4 CONFIGURE: Improve detection of xmlrpc_c flags """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286773777 From freeipa-github-notification at redhat.com Wed Mar 15 15:23:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:23:48 +0100 Subject: [Freeipa-devel] [freeipa PR#582][+pushed] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 15:23:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:23:49 +0100 Subject: [Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare MartinBasti commented: """ master: * 46d4d534c08d14756b989e157e87a078d174ad5c Remove pkinit from ipa-replica-prepare """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286776674 From freeipa-github-notification at redhat.com Wed Mar 15 15:23:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:23:51 +0100 Subject: [Freeipa-devel] [freeipa PR#582][closed] Remove pkinit from ipa-replica-prepare In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/582 Author: stlaz Title: #582: Remove pkinit from ipa-replica-prepare Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/582/head:pr582 git checkout pr582 From freeipa-github-notification at redhat.com Wed Mar 15 15:38:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:38:01 +0100 Subject: [Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval MartinBasti commented: """ Works for me and code looks OK """ See the full comment at https://github.com/freeipa/freeipa/pull/584#issuecomment-286781521 From freeipa-github-notification at redhat.com Wed Mar 15 15:38:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:38:12 +0100 Subject: [Freeipa-devel] [freeipa PR#584][+ack] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 15:40:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:40:24 +0100 Subject: [Freeipa-devel] [freeipa PR#584][+pushed] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 15:40:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:40:29 +0100 Subject: [Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Title: #584: Improve the implementation of PKINIT certificate retrieval MartinBasti commented: """ master: * 95768de06fbef78169329af12b29e4d65e4bf157 Make PKINIT certificate request logic consistent with other installers * b5b23e073e59930e4dcf14ea8031c2c0441e6344 Request PKINIT cert directly from Dogtag API on first master * bd18b5f91e3f98fa877def245c54c1cd33bd372e Move PKINIT configuration to a later stage of server/replica install * 069948466e81d99a0dd48ffffa32af50351d0189 Make wait_for_entry raise exceptions * 8f4abf7bc1607fc44f528b8a443b69cb82269e69 check that the master requesting PKINIT cert has KDC enabled * b45629fc480e61464b402ac2fc52c6f9fc61df0e check for replica's KDC entry on master before requesting PKINIT cert * a1686a90c0cc8c16c89ef1bada7f507729bf3252 Try out anonymous PKINIT after it is configured """ See the full comment at https://github.com/freeipa/freeipa/pull/584#issuecomment-286782263 From freeipa-github-notification at redhat.com Wed Mar 15 15:40:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:40:30 +0100 Subject: [Freeipa-devel] [freeipa PR#584][closed] Improve the implementation of PKINIT certificate retrieval In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/584 Author: martbab Title: #584: Improve the implementation of PKINIT certificate retrieval Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/584/head:pr584 git checkout pr584 From freeipa-github-notification at redhat.com Wed Mar 15 15:49:36 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 15 Mar 2017 16:49:36 +0100 Subject: [Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags lslebodn commented: """ On (15/03/17 08:14), MartinBasti wrote: >Commit message amended before pushed > Thank you; I was busy with other tasks. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecomment-286785306 From freeipa-github-notification at redhat.com Wed Mar 15 15:52:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 16:52:55 +0100 Subject: [Freeipa-devel] [freeipa PR#603][comment] Update 4.5 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/603 Title: #603: Update 4.5 translations MartinBasti commented: """ selfACK when travis build pass """ See the full comment at https://github.com/freeipa/freeipa/pull/603#issuecomment-286786463 From freeipa-github-notification at redhat.com Wed Mar 15 15:54:20 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 15 Mar 2017 16:54:20 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata LiptonB commented: """ I don't think one could really add a new helper without modifying the code, so there's probably no need to allow arbitrary strings. Given that, StrEnum seems appropriate. For the record, https://github.com/freeipa/freeipa/pull/542 is going to be modified to remove the `helper` parameter of `cert-get-requestdata` entirely, though I haven't had a chance to make the change yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286787004 From freeipa-github-notification at redhat.com Wed Mar 15 15:59:45 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 15 Mar 2017 16:59:45 +0100 Subject: [Freeipa-devel] [freeipa PR#433][synchronized] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Author: LiptonB Title: #433: csrgen: Allow some certificate fields to be specified by the user Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/433/head:pr433 git checkout pr433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-433.patch Type: text/x-diff Size: 10774 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 16:02:48 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 15 Mar 2017 17:02:48 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata LiptonB commented: """ I don't think one could really add a new helper without modifying the code, so there's probably no need to allow arbitrary strings. Given that, StrEnum seems appropriate. For the record, https://github.com/freeipa/freeipa/pull/542 is going to be modified to remove the `helper` parameter of `cert-get-requestdata` entirely, though I haven't had a chance to make the change yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286787004 From freeipa-github-notification at redhat.com Wed Mar 15 16:17:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 17:17:54 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata MartinBasti commented: """ > For the record, #542 removes the helper parameter of cert-get-requestdata, and will be modified to remove the concept of different helpers entirely, though I haven't had a chance to make that change yet. today is 4.5 release so you have to keep some level of backward compatibility in that PR """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286794876 From freeipa-github-notification at redhat.com Wed Mar 15 16:33:18 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 15 Mar 2017 17:33:18 +0100 Subject: [Freeipa-devel] [freeipa PR#602][edited] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Author: tjaalton Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Action: edited Changed field: body Original value: """ These are platform specific, add values for Debian and default values for Fedora/RHEL. Also, use prettier output when checking the extra python install options. """ From freeipa-github-notification at redhat.com Wed Mar 15 16:44:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 17:44:13 +0100 Subject: [Freeipa-devel] [freeipa PR#603][+ack] Update 4.5 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/603 Title: #603: Update 4.5 translations Label: +ack From freeipa-github-notification at redhat.com Wed Mar 15 16:45:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 17:45:05 +0100 Subject: [Freeipa-devel] [freeipa PR#603][comment] Update 4.5 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/603 Title: #603: Update 4.5 translations MartinBasti commented: """ master: * 474e6a7a71a9e51db80367018927c078f0bf1296 Update 4.5 translations """ See the full comment at https://github.com/freeipa/freeipa/pull/603#issuecomment-286803729 From freeipa-github-notification at redhat.com Wed Mar 15 16:45:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 17:45:07 +0100 Subject: [Freeipa-devel] [freeipa PR#603][+pushed] Update 4.5 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/603 Title: #603: Update 4.5 translations Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 16:45:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 17:45:08 +0100 Subject: [Freeipa-devel] [freeipa PR#603][closed] Update 4.5 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/603 Author: MartinBasti Title: #603: Update 4.5 translations Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/603/head:pr603 git checkout pr603 From freeipa-github-notification at redhat.com Wed Mar 15 16:59:17 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 15 Mar 2017 17:59:17 +0100 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata Akasurde commented: """ @MartinBasti Should I wait for #542 to get merged? """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-286808634 From freeipa-github-notification at redhat.com Wed Mar 15 17:22:08 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 15 Mar 2017 18:22:08 +0100 Subject: [Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Title: #433: csrgen: Allow some certificate fields to be specified by the user LiptonB commented: """ Rebased, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/433#issuecomment-286816039 From freeipa-github-notification at redhat.com Wed Mar 15 17:31:50 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 15 Mar 2017 18:31:50 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation LiptonB commented: """ Regarding this comment from @MartinBasti in #590: > > For the record, #542 removes the helper parameter of cert-get-requestdata, and will be modified to remove the concept of different helpers entirely, though I haven't had a chance to make that change yet. > > today is 4.5 release so you have to keep some level of backward compatibility in that PR What level of backward compatibility is required? Is it not ok to remove helpers? I thought the purpose of making `cert-get-requestdata` an internal, client-side API was that it would be ok to change the parameters as we figured out how it should work. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-286819264 From freeipa-github-notification at redhat.com Wed Mar 15 17:42:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 18:42:18 +0100 Subject: [Freeipa-devel] [freeipa PR#604][opened] [4.5] Set zanata version to ipa-4-5 Message-ID: URL: https://github.com/freeipa/freeipa/pull/604 Author: MartinBasti Title: #604: [4.5] Set zanata version to ipa-4-5 Action: opened PR body: """ Regular after-releas update, zanata branch has been created https://fedora.zanata.org/iteration/view/freeipa/ipa-4-5 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/604/head:pr604 git checkout pr604 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-604.patch Type: text/x-diff Size: 692 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 17:43:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 18:43:47 +0100 Subject: [Freeipa-devel] [freeipa PR#605][opened] Set development version to 4.5.90 Message-ID: URL: https://github.com/freeipa/freeipa/pull/605 Author: MartinBasti Title: #605: Set development version to 4.5.90 Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/605/head:pr605 git checkout pr605 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-605.patch Type: text/x-diff Size: 689 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 18:05:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:05:56 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation MartinBasti commented: """ I meant this: ```diff - Str( - 'helper', - label=_('Name of CSR generation tool'), - doc=_('Name of tool (e.g. openssl, certutil) that will be used to' - ' create CSR'), ``` AFAIK this is user API """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-286829945 From freeipa-github-notification at redhat.com Wed Mar 15 18:11:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:11:59 +0100 Subject: [Freeipa-devel] [freeipa PR#594][+pushed] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 18:12:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:12:01 +0100 Subject: [Freeipa-devel] [freeipa PR#594][comment] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors MartinBasti commented: """ master: * 602b395cf19b0ae0b8ade1c13ddaf09175ed7291 Fix Python 3 pylint errors """ See the full comment at https://github.com/freeipa/freeipa/pull/594#issuecomment-286831708 From freeipa-github-notification at redhat.com Wed Mar 15 18:12:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:12:02 +0100 Subject: [Freeipa-devel] [freeipa PR#594][closed] Fix Python 3 pylint errors In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/594 Author: tiran Title: #594: Fix Python 3 pylint errors Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/594/head:pr594 git checkout pr594 From freeipa-github-notification at redhat.com Wed Mar 15 18:12:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:12:40 +0100 Subject: [Freeipa-devel] [freeipa PR#587][+pushed] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 15 18:12:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:12:41 +0100 Subject: [Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage MartinBasti commented: """ master: * 42bc778c0c1de91f0d8dc695dfee4e5aea4cc1f0 Python 3: Fix session storage """ See the full comment at https://github.com/freeipa/freeipa/pull/587#issuecomment-286831940 From freeipa-github-notification at redhat.com Wed Mar 15 18:12:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Mar 2017 19:12:43 +0100 Subject: [Freeipa-devel] [freeipa PR#587][closed] Python 3: Fix session storage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/587 Author: tiran Title: #587: Python 3: Fix session storage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/587/head:pr587 git checkout pr587 From freeipa-github-notification at redhat.com Wed Mar 15 18:16:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 19:16:57 +0100 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] WIP: Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: WIP: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 16238 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 15 18:29:01 2017 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Mar 2017 19:29:01 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 4.5.0 Message-ID: <9d9d0c43-53a6-43ae-da5c-f490716a1560@redhat.com> Release date: 2017-03-15 The FreeIPA team would like to announce FreeIPA 4.5.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and Fedora 26 will be available soon in the official COPR repository: This announcement is also available at . == Highlights in 4.5.0 == === Enhancements === ==== AD User Short Names ==== Support for AD users short names has been added. Short names can be enabled from CLI by setting `ipa config-mod --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"` or from WebUI under ''Configuration'' tab. No manual configuration on SSSD side is required. Please note that this feature is not supported by SSSD yet and the work is tracked with * ==== FIPS 140-2 Support ==== FreeIPA server and client can be installed on FIPS enabled systems. MD5 fingerprints have been replaced with SHA256. Variable ''fips_mode'' has been added to env that indicates whether FIPS is turned on the server. Please note that FIPS 140-2 support may not work on some platforms because all dependencies of FreeIPA must support FIPS 140-2 what we cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself is FIPS 140-2 compatible. * ==== Certificate Identity Mapping ==== Support for multiple certificates on Smart cards has been added. User can choose which certificate is used to authenticate. This allows to define multiple certificates per user. The same certificate can be used by different accounts, and the mapping between a certificate and an account can be done through binary match of the whole certificate or a match on custom certificate attributes (such as Subject + Issuer). * ==== Improvements for Containerization ==== AD trust and KRA can be installed in one step in containers without need to call subsequent ipa-adtrust-install and ipa-kra-install in containers. Option ''--setup-adtrust'' has been added to ''ipa-server-install'' and ''ipa-replica-install'', and option ''--setup-kra'' has been added to ''ipa-server-install''. * * ==== Semi-automatic Integration with External DNS ==== Option "--out" has been added to command "ipa dns-update-system-records". This option allows to store IPA system DNS records in nsupdate format in specified file and can be used with nsupdate command to update records on an external DNS server. For more details see this howto * === Known Issues === * CLI doesn't work after ''ipa-restore'' * AD Trust doesn't work with enabled FIPS mode * ''cert-find'' does not find all certificates without sizelimit=0 === Bug fixes === Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases ==== Installers Refactoring ==== Installers code base has been migrated into modules and many code duplication has been removed. * ==== "Normal" group has been renamed to "Non-POSIX" in WebUI ==== In the web UI, the group type label "Normal" has been changed to "Non-POSIX" to be compatible with CLI options. The semantics of group types is unchanged. * ==== Build System Refactoring ==== Several improvements of FreeIPA build system have been done. In case you are package maintainer please read the following design document. * ==== LDAP Connection Management Refactoring ==== LDAP connection management has been standardized across FreeIPA and should prevent LDAP connection issues during installation and upgrades in future. * ==== Do not fail when IPA server has shortname first in /etc/hosts ==== Kerberos client library is now instructed to not attempt to canonicalize hostnames when issuing TGS requests. This improves security by avoiding DNS lookups during canonicalization and also improves robustness of service principal lookups in more complex DNS environments (clouds, containerized applications). Due to this change in behavior, care must be taken to specify correct FQDN in host/service principals as no attempt to resolve e.g. short names will be made. * ==== Replica Connection Check Improvements ==== Improved connection check reduces possibility of failure in further installation steps. Now ports on both IPv4 and IPv6 addresses are checked (if available). * ==== Replace NSS with OpenSSL ==== Should reduce number of issues related to HTTPS connections. This change was also needed to support FIPS. * ==== Fully customisable CA name ==== The CA subject name is now fully customisable, and is no longer required to be related to the certificate subject base. The ''ipa-server-instal'' and ''ipa-ca-install'' commands learned the ''--ca-subject'' and ''--subject-base'' options for configuring these values. * == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Resolved tickets == * 6764 debian: python modules should be installed under dist-packages * 6759 replica prepare broken on KDC cert export * 6755 [certs.py] - "ipa-replica-prepare" command fails when trying to unlink non-existing "tmpcert.der" file in /var/lib/ipa/ * 6750 Web page ipa/config/ssbrowser.html refers to missing ipa/config/ca.crt file * 6739 Cannot login to replica's WebUI * 6735 The ipa-managed-entries command failed, exception: AttributeError: ldap2 * 6734 vaultconfig-show throws internal error * 6731 ipa-server-install: allow to in install KRA in one step * 6730 Harden client HTTPS connections * 6724 [test_csrgen.py] - comparison test scripts not reflected changes in "openssl_base.tmpl" * 6723 ipa systemd unit should define Wants=network instead of Requires=network * 6718 SessionMaxAge in /etc/httpd/conf.d/ipa.conf introduces regression * 6717 WebUI: change structure of Identity submenu * 6714 ipaclient.csrgen depends on ipaplatform * 6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590) * 6712 WebUI: Arbitrary certificates on {user|host|service} details pages are not displayed in WebUI * 6707 Removal of IPAConfig broke Ipsilon's FreeIPA integration * 6701 Add SHA256 fingerprints * 6698 User with ticket gets GSS failure when calling freeipa CLI command * 6694 ipa-client-install command failed, TypeError: list found * 6690 Plugin schema cache is slow * 6686 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) after adding externally signed CA cert * 6685 logout does not work properly * 6682 session logout should not remove ccache * 6680 kra-agent.pem file is not auto-renewed by certmonger * 6676 unable to parse cookie header * 6675 KRA_AGENT_PEM file is missing * 6674 ipactl: noise error from pki-tomcatd start * 6673 httpd unit files deletes root ccache * 6670 PKINIT upgrade process is incomplete * 6661 Move ipa session data from keyring to ccaches * 6659 ipa-backup does not include /root/kracert.p12 * 6650 [vault] Replace nss crypto with cryptography * 6648 Make ipa-cacert-manage man page more clear * 6647 batch param compatibility is incorrect * 6646 IdM Server: list all Employees with matching Smart Card * 6643 [RFE] Add ipa-whoami command * 6640 DS certificate request during replica install fails due to bytes/string mismatch * 6639 Rewrite the code handling discovery and adding of AD trust agents in AD trust installer * 6638 AD trust installer should be able to configure samba instance also without admin credentials * 6637 Build fails on Fedora 26 * 6636 UnboundLocalError during ipa-client-install * 6634 --ignore-last-of-role is not in man page * 6633 IPA replica install log shows password in plain text * 6631 Use Python warnings for development * 6630 Merge AD trust installer to server/replica install * 6629 Migrate AD trust installer on the new-style installer framework * 6625 WSGI fails with internal server error when mode != production (locked attribute) * 6623 Stageuser is missing -{add,remove}-{cert,principal} commands * 6620 Remove ipa-upgradeconfig command * 6619 krb5 1.15 broke DAL principal free * 6608 IPA server installation should check if IPv6 stack is enabled * 6607 Deprecate SSLv2 from API config * 6606 Full backup and restore prevents KRA from installing * 6601 [RFE] WebUI: Certificate Identity Mapping * 6600 Legacy client tests doesn't have tree domain role. * 6598 [webui] Show "CA replica warning" only if there one or more replicas but only 1 CA * 6597 ipapython.version.DEFAULT_PLUGINS is not configured * 6596 Update ETAs in installers * 6588 replication race condition prevents IPA to install * 6586 Minor string fixes in dsinstance.py * 6585 [RFE] nsupdate output format in dns-update-system-records command * 6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts * 6578 IPA CLI will eventually stop working when invoked in parallel * 6575 ipa-replica-install fails on requesting DS cert when master is not configured with IPv6 * 6574 description of --domain and --realm is confusing * 6573 CA-less replica installation fails due to attempted cert issuance * 6570 Duplicate PKINIT certificates being tracked after restoring IPA backup on re-installed master * 6565 FreeIPA server install fails (and existing servers probably fail to start) due to changes in 'dyndb' feature on merge to upstream BIND * 6564 IPA WebUI certificates are grayed out on overview page but not on details page * 6559 [py3] switch to PY3 causes warnings from IPA schema cache * 6558 [Py3] http session cookie doesn't work under Py3 * 6551 Upgrade Samba configuration to not include keytab prefix * 6550 Refactor PKCS #7 parsing to use pyasn1_modules * 6548 [RFE] Mention ipa-backup in warning message before uninstalling IPA server * 6547 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain * 6546 Delete option shouldn't be available for hosts applied to view. * 6542 [RFE] Certificate Identity Mapping * 6541 ipa-replica-install fails to import DS cert from replica file * 6540 Migration from ipa-3.0 fails due to crashing copy-schema-to-ca.py * 6539 ipa vault operations are not possible with an older server * 6538 KRA: add checks to prevent removing the last instance of KRA in topology * 6534 topology should not include A<->B segment "both" and B->A "left right" at the same time. * 6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance * 6526 remove "request certificate with subjectaltname" permission * 6522 ipa-replica-conncheck should check for open ports on all IPs resolved from hostname * 6518 Can not install IPA server when hostname is not DNS resolvable * 6514 replica install: request_service_cert doesn't raise error when certificate isuance failed * 6513 `ipa plugins` command crashes with internal error * 6512 Improve the robustness FreeIPA's i18n module and its tests * 6510 Wrong error message during failed domainlevel 0 installations without a replica file * 6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin * 6505 Make ipapython.kerberos.Principal.__repr__ show the actual principal name * 6504 Create a test for uniqueness of CA renewal master * 6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11 * 6500 ipa-server-upgrade fails with AttributeError * 6498 Build system must regenerate file when template changes. * 6497 Misleading error message in replica_conn_check() * 6496 remove references to ds_newinst.pl * 6495 DNSSEC: ipa-ods-expoter.socket creates incorrect socket and breaks DNSSEC signing * 6492 Register entry points of Custodia plugins * 6490 Add local-env subcommand to ipa script * 6489 Provide legacy client test coverage with tree root domain * 6487 ipa-replica-conncheck fails randomly (race condition) * 6486 Add NTP server list to ipaplatform * 6481 Create a test for instantiating rules with service principals * 6480 Update man page for ipa-adtrust-install by removing --no-msdcs option * 6474 Remove ipaplatform dependency from ipa modules * 6472 cert-request no longer accepts CSR with extraneous data surrounding PEM data * 6469 Use xml.etree instead of lxml in odsmgr.py * 6466 [abrt] krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV * 6461 LDAP Connection Management refactoring * 6460 NSSNickname enclosed in single quotes causes ipa-server-certinstall failure * 6457 ipa dnsrecord-add fails with Keyerror stack trace * 6455 Add example of RDN order for ipa-server-install --subject * 6451 Automate managed replication topology 4.4 features * 6448 Tests: Stageuser tracker creation of user with minimal values, with uid not specified * 6446 Create test for kerberos over http * 6445 Traceback seen in error_log when trustdomain-del is run * 6439 Members of nested netgroups configured in IdM cannot be seen by getent on clients * 6435 Fix zanata.xml config to skip testing ipa.pot file * 6434 Installers: perform host enrollment also in domain level 0 replica install * 6433 Refactor installer code requesting certificates * 6420 Pretty print option of pytest makes tracker fail when used in ipa console * 6419 cert-show default output does not show validity * 6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master * 6415 replica-install creates spurious entries in cn=certificates * 6412 Create tests for certs in idoverrides feature * 6410 Tests: Verify that cert commands show CA without --all * 6409 [RFE] extend ipa-getkeytab to support other LDAP bind methods * 6406 Use common mechanism for setting up initial replication in both domain levels * 6405 unify domain level-specific mechanisms for replica's DS/HTTP keytab generation * 6402 IPA Allows Password Reuse with History value defined when admin resets the password. * 6401 Revert expected returncode in replica_promotion test * 6400 Add file_exists method as a member of transport object * 6399 Object-Signing cert is unused; don't create it * 6398 Refactor certificate inspection code to use python-cryptography * 6397 WebUI: Services are not displayed correctly after upgrade * 6396 Cleanup AD trust information after tests * 6394 WebUI: Update Patternfly and Bootstrap to newer versions * 6393 Make httpd publish CA certificate on Domain Level 1 * 6392 Installers refactoring tracker * 6388 WebUI: Adder dialog cannot be reopened in case that it is closed using ESC and dropdown field was focuseded * 6386 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR * 6384 Web UI: Lowercase "b" in the "API browser" subtab label * 6381 ipa-cacert-manage man page should mention to run ipa-certupdate * 6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0 * 6372 [RFE] allow managing prioritized list of trusted domains for unqualified ID resolution * 6369 [tracker] raise 389 requires when "Total init may fail if the pushed schema is rejected" is part of update * 6365 Custodia compatibility: add iSecStore.span method * 6359 test_0003_find_OCSP will never fail * 6358 ipa migrate-ds fails when it finds a referral * 6357 ipa-server-install script option --no_hbac_allow should match other options * 6354 regression: certmap.conf file is not backedup during ipa-server-upgrade * 6352 replica promotion with OTP: add additional info to ""Insufficient privileges" error message * 6347 Tests: provide trust test coverage for tree root domains * 6344 [RFE] support URI resource records * 6343 [RFE] Allow login to WebUI using Kerberos aliases/enterprise principals * 6340 IPA client ipv6 - invalid --ip-address shows traceback * 6335 Set priority as required filed in password policy * 6334 "Normal" group type in the UI is confusing * 6331 Reason is lost when CheckedIPAddress returns ValueError in ipa-client-install * 6308 [webui] Does not handle uppercase authentication indicators. * 6305 host/service-mod with --certificate= (remove all certs) does not revoke certs * 6295 cert-request is not aware of Kerberos principal aliases * 6269 cert-find --all does not show information about revocation * 6263 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions * 6226 ipa-replica-install in CA-less environment does not configure DS TLS - ipa-ca-install then fails on replica * 6225 [RFE] Web UI: allow Smart Card authentication - finalization * 6202 ipa-client-install - document that --server option expects FQDN * 6178 Add options to retrieve lightweight CA certificate/chain * 6169 ipa dnsforwardzone-add w/o arguments fails * 6144 RPC code should be agnostic to display layer * 6132 Broken setup if 3rd party CA certificate conflicts with system-wide CA certificate * 6128 Tests: Base tracker contains leftover attributes from host tracker * 6126 Tests: User tracker does not enable creation of user with minimal values * 6125 Tests: unaccessible variable self.attrs for entries that are not created via standard create method in Tracker * 6124 Tests: remove --force option from tracker base class * 6123 Tests: Tracker enables silent deleting and creating entries * 6114 Traceback message seen when ipa is provided with invalid configuration file name * 6088 test_installation.py tests involving KRA installation on replicas fail in domain level 0 * 6005 Create an automated test for Certs in idoverrides feature * 5949 ipa-server-install: improve prompt on interactive installation * 5935 [py3] DNSName.ToASCII broken with python3 * 5742 [RFE] [webui] Configurable page size / User config page * 5695 [RFE] FreeIPA on FIPS enabled systems * 5640 Framework does not respect sizelimit passed via webUI in some searches * 5348 [tracker] dig + dnssec does not display signature of freshly created root zone * 4821 UI drops "Unknown Error" when the ipa record in /etc/hosts changes * 4189 [RFE] Use GSS-Proxy for the HTTP service * 3461 [RFE] Extend freeipa's sudo to support selinux transition roles * 157 Python 3.2a1 in rawhide == Detailed changelog since 4.4.4 == === Jan Barta (8) === * pylint: fix bad-mcs-method-argument * pylint: fix bad-mcs-classmethod-argument * pylint: fix bad-classmethod-argument * pylint: fix old-style-class * pylint: fix redefine-in-handler * pylint: fix pointless-statement * pylint: fix unneeded-not * pylint: fix simplifiable-if-statement warnings === Alexander Bokovoy (7) === * ipaserver/dcerpc.py: use arcfour_encrypt from samba * add whoami command * pkinit: make sure to have proper dictionary for Kerberos instance on upgrade * ipa-kdb: support KDB DAL version 6.1 * ipa-kdb: search for password policies globally * adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf * trustdomain-del: fix the way how subdomain is searched === Abhijeet Kasurde (11) === * Minor typo fix in DNS install plugin * Update warning message for replica install * Add fix for ipa plugins command * Update man page of ipa-server-install * Remove deprecated ipa-upgradeconfig command * Update warning message for ipa server uninstall * Fix for handling CalledProcessError in authconfig * Enumerate available options in IPA installer * Provide user hint about IP address in IPA install * Add fix for no-hbac-allow option in server install * Added a fix for setting Priority as required field in Password Policy Details facet === Ben Lipton (8) === * csrgen: Support encrypted private keys * csrgen: Allow overriding the CSR generation profile * csrgen: Automate full cert request flow * tests: Add tests for CSR autogeneration * csrgen: Use data_sources option to define which fields are rendered * csrgen: Add a CSR generation profile for user certificates * csrgen: Add CSR generation profile for caIPAserviceCert * csrgen: Add code to generate scripts that generate CSRs === Christian Heimes (88) === * Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb * Make pylint and jsl optional * Ignore ipapython/.DEFAULT_PLUGINS * Run test_ipaclient test suite * Chain CSR generator file loaders * Move csrgen templates into ipaclient package * Use https to get security domain from Dogtag * Cleanup certdb * Default to pkginstall=true without duplicated definitions * pylint: ignore pypi placeholders * Python build: use --build-base everywhere * Add with_wheels global to install wheel and PyPI packaging dependencies * Add placeholders for ipaplatform, ipaserver and ipatests * Add python-wheel as build requirement * Packaging: Add placeholder packages * Vault: port key wrapping to python-cryptography * Remove NSPRError exception from platform tasks * Remove import nss from test_ldap * certdb: Don't restore_context() of new NSSDB * Finish port to PyCA cryptography * Drop in-memory copy of schema zip file * Speed up client schema cache * C compilation fixes and hardening * lite-server: validate LDAP connection and cache schema * Add --without-ipatests option * Add missing include of stdint.h for uint8_t * Client-only builds with --disable-server * New lite-server implementation * Explain more performance tricks in doc string * Fix test, nested lists are no longer converted to nested tuples * Pretty print JSON in debug mode (debug level >= 2) * Convert list to tuples * Faster JSON encoder/decoder * Backup /root/kracert.p12 * Ditch version_info and use version number from ipapython.version * test_StrEnum: use int as bad type * Stable _is_null check * cryptography has deprecated serial in favor of serial_number * Enable additional warnings (BytesWarning, DeprecationWarning) * Print test env information * Clean / ignore make check artefact * ipapython: Add dependencies on version.py * pytest: set rules to find test files and functions * Fix used before assignment bug in host_port_open() * Use pytest conftest.py and drop pytest.ini * Catch ValueError raised by pytest.config.getoption() * Silence pylint import errors of ipaserver in ipalib and ipaclient * Relax check for .git to support freeipa in submodules * Ignore backup~ files like config.h.in~ * Fetch correct exception in IPA_CONFDIR test * Use env var IPA_CONFDIR to get confdir * Set explicit confdir option for global contexts * Remove import of ipaplatform.paths from test_ipalib * Remove BIN_FALSE and BIN_TRUE * Add pylint guard to import of ipaplatform in ipapython.certdb * Require python-gssapi >= 1.2.0, take 2 * Backwards compatibility with setuptools 0.9.8 * Require python-cryptography >= 1.3.1 * Wheel bundles fixes * Require python-gssapi >= 1.2.0 * Adjustments for setup requirements * wrap long line * Silence import warnings for Samba bindings * Fix Python 3 bugs discovered by pylint * Python3 pylint fixes * Add main guards to a couple of Python scripts * Break ipaplatform / ipalib import cycle of hell * Replace LooseVersion * Don't ship install subpackages with wheels * Minor fixes for IPAVersion class * Pylint: whitelist packages with extension modules * Add 'ipa localenv' subcommand * ipapython and ipatest no longer require lxml * Register entry points of Custodia plugins * Use xml.etree in ipa-client-automount script * Port ipapython.dnssec.odsmgr to xml.etree * Add install requirements to Python packages * Make api.env.nss_dir relative to api.env.confdir * Don't modify redhat_system_units * Use correct classifiers to make setup.py files PyPI compatible * Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR * Add __name__ == __main__ guards to setup.pys * Remove ipapython/ipa.conf * Port all setup.py to setuptools * Replace ipaplatform's symlinks with a meta importer * Move ipa.1 man file * Add iSecStore.span * Use RSA-OAEP instead of RSA PKCS#1 v1.5 === David Kupka (20) === * rpcserver: x509_login: Handle unsuccessful certificate login gracefully * Bump required version of gssproxy to 0.7.0 * tests: Add tests for kerberos principal aliases in stageuser * tests: kerberos_principal_aliases: Deduplicate tests * tests: Stageuser-{add,remove}-cert * tests: add-remove-cert: Use harcoded certificates instead of requesting them * ipalib.x509: Handle missing SAN gracefully * stageuser: Add stageuser-{add,remove}-principal * stageuser: Add stageuser-{add,remove}-cert * build: Add missing dependency on libxmlrpc{,_util} * ipaclient: schema cache: Handle malformed server info data gracefully * schema_cache: Make handling of string compatible with python3 * installer: Stop adding distro-specific NTP servers into ntp.conf * tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all * password policy: Add explicit default password policy for hosts and services * ipaclient.plugins: Use api_version from internally called commands * tests: Mark 389-ds acceptance tests * tests: Mark Dogtag acceptance tests * UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling * schema cache: Store and check info for pre-schema servers === Florence Blanc-Renaud (20) === * Installation must publish CA cert in /usr/share/ipa/html/ca.crt * IdM Server: list all Employees with matching Smart Card * ipa systemd unit should define Wants=network instead of Requires=network * Support for Certificate Identity Mapping * Define template version in certmap.conf * Fix ipa.service unit re. gssproxy * Do not configure PKI ajp redirection to use "::1" * ipa-kra-install must create directory if it does not exist * ipa-restore must stop tracking PKINIT cert in the preparation phase * Increase the timeout waiting for certificate issuance in installer * Check the result of cert request in replica installer * Fix ipa-replica-install when upgrade from ca-less to ca-full * Fix ipa migrate-ds when it finds a search reference * Fix renewal lock issues on installation * Refactor installer code requesting certificates * Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent * Fix ipa-cacert-manage man page * Add cert checks in ipa-server-certinstall * Fix regression introduced in ipa-certupdate * Fix ipa-certupdate for CA-less installation === Fraser Tweedale (52) === * rabase.get_certificate: make serial number arg mandatory * Extract method to map principal to princpal type * Remove redundant principal_type argument * dogtag: remove redundant property definition * ca: correctly authorise ca-del, ca-enable and ca-disable * replica install: relax domain level check for promotion * Fix reference before assignment * private_ccache: yield ccache name * Add sanity checks for use of --ca-subject and --subject-base * Indicate that ca subject / subject base uses LDAP RDN order * Allow full customisability of IPA CA subject DN * Reuse self.api when executing ca_enabled_check * dsinstance: extract function for writing certmap.conf * ipa-ca-install: add missing --subject-base option * Extract function for computing default subject base * installer: rename --subject to --subject-base * installutils: remove hardcoded subject DN assumption * Refactor and relocate set_subject_base_in_config * dsinstance: minor string fixes * Set up DS TLS on replica in CA-less topology * Remove "Request Certificate with SubjectAltName" permission * Fix DL1 replica installation in CA-less topology * certprofile-mod: correctly authorise config update * Fix regression in test suite * Add options to write lightweight CA cert or chain to file * certdb: accumulate extracted certs as list of PEMs * Add function for extracting PEM certs from PKCS #7 * cert-request: match names against principal aliases * Remove references to ds_newinst.pl * cert-request: accept CSRs with extraneous data * Ensure correct IPA CA nickname in DS and HTTP NSSDBs * Remove __main__ code from ipalib.x509 and ipalib.pkcs10 * x509: use python-cryptography to process certs * x509: use pyasn1-modules X.509 specs * x509: avoid use of nss.data_to_hex * pkcs10: remove pyasn1 PKCS #10 spec * pkcs10: use python-cryptography for CSR processing * dn: support conversion from python-cryptography Name * cert-show: show validity in default output * Do not create Object Signing certificate * Add commentary about CA deletion to plugin doc * spec: require Dogtag >= 10.3.5-6 * sudorule: add SELinux transition examples to plugin doc * Fix cert revocation when removing all certs via host/service-mod * cert-request: raise error when request fails * Make host/service cert revocation aware of lightweight CAs * cert-request: raise CertificateOperationError if CA disabled * Use Dogtag REST API for certificate requests * Add HTTPRequestError class * Allow Dogtag RestClient to perform requests without logging in * Add ca-disable and ca-enable commands * Track lightweight CAs on replica installation === Ganna Kaihorodova (7) === * Tests: Basic coverage with tree root domain * User Tracker: Test to create user with minimal values * User Tracker: creation of user with minimal values * Stage User: Test to create stage user with minimal values * Tests: Stage User Tracker implementation * Tests: Add tree root domain role in legacy client tests * Unaccessible variable self.attrs in Tracker === Jan Cholasta (106) === * spec file: always provide python package aliases * spec file: support client-only build * spec file: support build without ipatests * slapi plugins: fix CFLAGS * spec file: add unconditional python-setuptools BuildRequires * httpinstance: disable system trust module in /etc/httpd/alias * csrgen: hide cert-get-requestdata in CLI * cert: include certificate chain in cert command output * cert: add output file option to cert-request * Travis CI: run tests in development mode * backend plugins: fix crashes in development mode * vault: cache the transport certificate on client * rpc: fix crash in verbose mode * install: re-introduce option groups * install CLI: remove magic option groups * client install: split off SSSD options into a separate class * server install: remove duplicate knob definitions * install: add missing space in realm_name description * server install: remove duplicate -w option * certmap: load certificate from file in certmap-match CLI * pylint_plugins: add forbidden import checker * ipapython: fix DEFAULT_PLUGINS in version.py * config: re-add `init_config` and `config` * dns: fix `dnsrecord_add` interactive mode * server install: do not attempt to issue PKINIT cert in CA-less * compat: fix `Any` params in `batch` and `dnsrecord` * scripts, tests: explicitly set confdir in the rest of server code * server upgrade: uninstall ipa_memcached properly * server upgrade: always upgrade KRA agent PEM file * server upgrade: fix upgrade from pre-4.0 * server upgrade: fix upgrade in CA-less * client install: create /etc/ipa/nssdb with correct mode * ipaldap: preserve order of values in LDAPEntry._sync() * replica install: do not log host OTP * tests: add test for PEM certificate files with leading text * ipa-ca-install: do not fail without --subject-base and --ca-subject * cert: fix search limit handling in cert-find * dogtag: search past the first 100 certificates * ipaldap: properly escape raw binary values in LDAP filters * client install: correctly report all failures * cainstance: do not configure renewal guard * dogtaginstance: track server certificate with our renew agent * renew agent: handle non-replicated certificates * ca: fix ca-find with --pkey-only * spec file: revert to the previous Release tag * x509: use PyASN1 to parse PKCS#7 * server install: fix KRA agent PEM file not being created * spec file: do not define with_lint inside a comment * certdb: fix PKCS#12 import with empty password * server install: fix external CA install * replica install: track the RA agent certificate again * ipaclient: remove hard dependency on ipaplatform * ipaclient: move install modules to the install subpackage * ipalib: remove hard dependency on ipapython * constants: remove CACERT * ipalib: move certstore to the install subpackage * ipapython: remove hard dependency on ipaplatform * ipautil: move file encryption functions to installutils * ipautil: move kinit functions to ipalib.install * ipautil: move is_fips_enabled() to ipaplatform.tasks * ipautil: remove the timeout argument of run() * ipautil: remove get_domain_name() * ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR * certdb: use a temporary file to pass password to pk12util * certdb: move IPA NSS DB install functions to ipaclient.install * ipapython: move certmonger and sysrestore to ipalib.install * ipapython: move dnssec, p11helper and secrets to ipaserver * custodiainstance: automatic restart on config file update * paths: remove DEV_NULL * install: migrate client install to the new class hierarchy * install: allow specifying verbosity and console log format in CLI * install: migrate server installers to the new class hierarchy * install: introduce installer class hierarchy * install: fix subclassing of knob groups * install: make knob base declaration explicit * install: declare knob CLI names using the argparse convention * install: use standard Python classes to declare knob types * install: introduce updated knob constructor * install: simplify CLI option parsing * install: improve CLI positional argument handling * install: use ldaps for pkispawn in ipa-ca-install * replica install: fix DS restart failure during replica promotion * replica install: merge KRA agent cert export into KRA install * replica install: merge RA cert import into CA install * server install: do not restart httpd during CA install * install: merge all KRA install code paths into one * install: merge all CA install code paths into one * replica install: use one remote KRA host name everywhere * replica install: use one remote CA host name everywhere * spec file: bump minimal required version of 389-ds-base * pwpolicy: do not run klist on import * client: remove unused libcurl build dependency * makeapi, makeaci: do not fail on missing imports * ipaserver: remove ipalib import from setup.py * pylint: enable the import-error check * spec file: do not include BuildRequires for lint by default * spec file: clean up BuildRequires * cert: add revocation reason back to cert-find output * test_plugable: update the rest of test_init * dns: re-introduce --raw in dnsrecord-del * client: remove hard dependency on pam_krb5 * cert: fix cert-find --certificate when the cert is not in LDAP * dns: fix crash in interactive mode against old servers * dns: prompt for missing record parts in CLI * dns: normalize record type read interactively in dnsrecord_add * cli: use full name when executing a command === Lenka Doudova (23) === * Document make_delete_command method in UserTracker * Tests: Providing trust tests with tree root domain * Tests: Verify that validity info is present in cert-show and cert-find command * Add file_exists method as a member of transport object * Tests: Provide AD cleanup for legacy client tests * Tests: Provide AD cleanup for trust tests * Tests: Fix integration sudo test * Tests: Verify that cert commands show CA without --all * Tests: Certificate revocation * Tests: Remove invalid certplugin tests * Tests: Fix failing test_ipalib/test_parameters * Tests: Remove silent deleting and creating entries by tracker * Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap * Tests: Fix host attributes in ipa-join host test * Tests: Update host test with ipa-join * Tests: Add krb5kdc.service restart to integration trust tests * Tests: Remove unnecessary attributes from base tracker * Tests: Remove --force options from tracker base class * Tests: Remove SSSD restart from integration tests * Tests: Fix integration sudo tests setup and checks * Tests: Fix failing ldap.backend test * Tests: Add cleanup to integration trust tests * Tests: Fix regex errors in integration trust tests === Ludwig Krispenz (1) === * Check for conflict entries before raising domain level === Lukas Slebodnik (6) === * CONFIGURE: Improve detection of xmlrpc_c flags * CONFIGURE: Properly detect libpopt on el7 * ipa_pwd: remove unnecessary dependency on dirsrv plugins * SPEC: Fix build in mock * CONFIGURE: Update help message for jslint * CONFIGURE: Fix detection of pylint === Martin Babinsky (113) === * Try out anonymous PKINIT after it is configured * check for replica's KDC entry on master before requesting PKINIT cert * check that the master requesting PKINIT cert has KDC enabled * Make wait_for_entry raise exceptions * Move PKINIT configuration to a later stage of server/replica install * Request PKINIT cert directly from Dogtag API on first master * Make PKINIT certificate request logic consistent with other installers * idviews: correctly handle modification of non-existent view * Re-use trust domain retrieval code in certmap validators * idview: add domain_resolution_order attribute * ipaconfig: add the ability to manipulate domain resolution order * Short name resolution: introduce the required schema * ipa-managed-entries: only permit running the command on IPA master * ipa-managed-entries: use server-mode API * Allow login to WebUI using Kerberos aliases/enterprise principals * Provide basic integration tests for built-in AD trust installer * Update server/replica installer man pages * Fix erroneous short name options in ipa-adtrust-install man page * Merge AD trust configurator into replica installer * Merge AD trust configurator into server installer * expose AD trust related knobs in composite installers * Add AD trust installer interface for composite installer * check for installed dependencies when *not* in standalone mode * print the installation info only in standalone mode * adtrust.py: Use logging to emit error messages * Refactor the code searching and presenting missing trust agents * only check for netbios name when LDAP backend is connected * Refactor the code checking for missing SIDs * use the methods of the parent class to retrieve CIFS kerberos keys * httpinstance: re-use parent's methods to retrieve anonymous keytab * Make request_service_keytab into a public method * allow for more flexibility when requesting service keytab * Move AD trust installation code to a separate module * Replace exit() calls with exceptions * Remove unused variables in exception handling * ipa-adtrust-install: format the code for PEP-8 compliance * Travis CI: Upload the logs from failed jobs to transfer.sh * Explicitly handle quoting/unquoting of NSSNickname directive * Delegate directive value quoting/unquoting to separate functions * installutils: improve directive value parsing in `get_directive` * Fix the installutils.set_directive docstring * disable hostname canonicalization by Kerberos library * Travis CI: actually return non-zero exit status when the test job fails * Trim the test runner log to show only pytest failures/errors * Add license headers to the files used by Travis CI * Travis CI: use specific Python version during build * introduce install step to .travis.yml and cache pip installs * split out lint to a separate Travis job * Travis: offload test execution to a separate script * Travis CI: a separate script to run test tasks * Put the commands informing and displaying build logs on single line * travis: mark FreeIPA as python project * Bump up ipa-docker-test-runner version * Add a basic test suite for `kadmin.local` interface * Make `kadmin` family of functions return the result of ipautil.run * gracefully handle setting replica bind dn group on old masters * add missing attribute to ipaca replica during CA topology update * Revert "upgrade: add replica bind DN group check interval to CA topology config" * bindinstance: use data in named.conf to determine configuration status * Use ipa-docker-test-runner to run tests in Travis CI * Configuration file for ipa-docker-test-runner * Add 'env_confdir' to constants * Fix pep-8 transgressions in ipalib/misc.py * Make `env` and `plugins` commands local again * Revert "Add 'ipa localenv' subcommand" * Enhance __repr__ method of Principal * replication: ensure bind DN group check interval is set on replica config * upgrade: add replica bind DN group check interval to CA topology config * Improve the robustness FreeIPA's i18n module and its tests * Use common procedure to setup initial replication in both domain levels * ensure that the initial sync using GSSAPI works agains old masters * replication: refactor the code setting principals as replica bind DNs * replication: augment setup_promote_replication method * Turn replication manager group into ReplicationManager class member * Fix the naming of ipa-dnskeysyncd service principal * installutils: remove 'install_service_keytab' function * domain-level agnostic keytab retrieval in httpinstance * installers: restart DS after KDC is configured * dsinstance: use keytab retrieval method from parent class * use DM credentials to retrieve service keytab only in DLO * Service: common method for service keytab requests * Turn Kerberos-related properties to Service class members * Make service user name a class member of Service * service installers: clean up the inheritance * fix incorrect invocation of ipa-getkeytab during DL0 host enrollment * do partial host enrollment in domain level 0 replica install * Separate function to purge IPA host principals from keytab * certs: do not re-create NSS database when requesting service cert * initialize empty /etc/http/alias during server/replica install * CertDB: add API for non-destructive initialization from PKCS#12 bundle * test_ipagetkeytab: use system-wide IPA CA cert location in tests * Extend keytab retrieval test suite to cover new options * Modernize ipa-getkeytab test suite * extend ipa-getkeytab to support other LDAP bind methods * ipa-getkeytab: expose CA cert path as option * server-del: fix incorrect check for one IPA master * Revert "Fix install scripts debugging" * do not use keys() method when iterating through dictionaries * remove trailing newlines form python modules * mod_nss: use more robust quoting of NSSNickname directive * Move character escaping function to ipautil * Make Continuous installer continuous only during execution phase * use separate exception handlers for executors and validators * ipa passwd: use correct normalizer for user principals * trust-fetch-domains: contact forest DCs when fetching trust domain info * netgroup: avoid extraneous LDAP search when retrieving primary key from DN * advise: Use `name` instead of `__name__` to get plugin names * Use Travis-CI for basic sanity checks * ldapupdate: Use proper inheritance in BadSyntax exception * raise ValidationError when deprecated param is passed to command * Always fetch forest info from root DCs when establishing one-way trust * factor out `populate_remote_domain` method into module-level function * Always fetch forest info from root DCs when establishing two-way trust === Martin Basti (134) === * Become IPA 4.5.0 * Update 4.5 translations * Add copy-schema-to-ca for RHEL6 to contrib/ * Remove copy-schema-to-ca.py from master branch * pylint: bump dependency to version >= 1.6 * backup: backup anonymous keytab * tests: use --setup-kra in tests * KRA: add --setup-kra to ipa-server-install * man: add missing --setup-adtrust option to manpage * ipactl restart: log httplib failues as debug * Tests: search for disabled users * Test: DNS nsupdate from dns-update-system-records * DNS: dns-update-system-record can create nsupdate file * py3: ipa_generate_password: do not compare None and Int * py3: change_admin_password: use textual mode * py3: create DNS zonefile: use textual mode * py3: upgradeinstance: use bytes literals with LDIF operations * py3: upgradeinstance: decode data before storing them as backup... * py3: upgradeinstance: open dse.ldif in textual mode * custodia: kem.set_keys: replace too-broad exception * py3: kem.py: user bytes with ldap values * py3: custodia: basedn must be unicode * py3: configparser: use raw keyword * py3: modify_s: attribute name must be str not bytes * py3: ldapupdate: fix logging str(bytes) issue * DNSSEC: forwarders validation improvement * py3: test_ipaserver: fix BytesWarnings * py3: get_memberofindirect: fix ByteWarnings * py3: DN: fix BytesWarning * Tests: fix wait_for_replication task * py3: send Decimal number as string instead of base64 encoded value * py3: ipaldap: properly encode DNSName to bytes * py3: _convert_to_idna: fix bytes/unicode mistmatch * py3: DNS: get_record_entry_attrs: do not modify dict during iteration * py3: _ptrrecord_precallaback: use bytes with labels * py3: remove_entry_from_group: attribute name must be string * py3: base64 encoding/decoding returns always bytes don't mix it * pki-base: use pki-base-python2 as dependency * pki: add missing depedency pki-base[-python3] * py3: x509.py: return principal as unicode string * py3: tests_xmlrpc: do not call str() on bytes * py3: normalize_certificate: support both bytes and unicode * py3: strip_header: support both bytes and unicode * py3: fingerprint_hex_sha256: fix encoding/decoding * py3: fix CSR encoding inside framework * Principal: validate type of input parameter * Use dict comprehension * py3: can_read: attributelevelrights is already string * py3: get_effective_rights: values passed to ldap must be bytes * py3: ipaldap: update encode/decode methods * py3: rpcserver fix undefined variable * py3: WSGI executioners must return bytes in list * py3: session: fix r/w ccache data * Py3: Fix undefined variable * py3: rpcserver: decode input because json requires string * py3: session.py decode server name to str * Use proper logging for error messages * wait_for_entry: use only DN as parameter * py3: decode bytes for json.loads() * dogtag.py: fix exception logging of JSON data * py3: convert_attribute_members: don't use bytes as parameter for DN * py3: make_filter_from_attr: use string instead of bytes * py3: __add_acl: use standard ipaldap methods * py3: add_entry_to_group: attribute name must be string not bytes * py3: HTTPResponse has no 'dict' attribute in 'msg' * py3: _httplib_request: don't convert string to bytes * py3: cainstance: replace mkstemp with NamedTemporaryFile * py3: write CA/KRA config into file opened in text mode * py3: CA/KRA: config parser requires string * py3: ipautil: open tempfiles in text mode * py3: ldap modlist must have keys as string, not bytes * py3: open temporary ldif file in text mode * py3: service.py: replace mkstemp by NamedTemporaryFile * py3: create_cert_db: write to file in a compatible way * _resolve_records: fix assert, nameserver_ip can be none * Remove duplicated step from DS install * py3: enable py3 pylint * Py3: Fix ToASCII method * fix: regression in API version comparison * ipactl: pass api as argument to services * DNS: URI records: bump python-dns requirements * remove Knob function * KRA: don't add KRA container when KRA replica * Zanata: exlude testing ipa.pot file * client: use correct code for failed uninstall * client: use exceptions instead of return states * client: move install part to else branch * client: move install cleanup from ipa-client-install to module * client: move clean CCACHE to module * client: fix script execution * client: Remove useless except in ipa-client-install * client: move custom env variable into client module * client: extract checks from uninstall to uninstall_check * client: extract checks from install to install_check * client: move checks to client.install_check * client: make statestore and fstore consistent with server * IPAChangeConf: use constant for empty line * client: import IPAChangeConf directly instead the module * client: remove extra return from hardcode_ldap_server * client: install function: return constant not hardcoded number * client: remove unneded return from configure_ipa_conf * client: remove unneded return configure_krb5_conf * ipa-client-install: move client install to module * CI: Disable KRA install tests on DL0 * CI: use --setup-kra with replica installation * CI: extend replication layouts tests with KRA * CI: workaround: wait for dogtag before replica-prepare * Pylint: fix the rest of unused local variables * Pylint: remove unused variables in tests * Pylint: remove unused variables in ipaserver package * Pylint: remove unused variables from installers and scripts * Fix: find OSCP certificate test * Pylint: enable check for unused-variables * Remove unused variables in tests * Remove unused variables in the code * test_text: add test ipa.pot file for tests * Pylint: enable global-variable-not-assigned check * Pylint: enable cyclic-import check * Test: dont use global variable for iteration in test_cert_plugin * Use constant for user and group patterns * Fix regexp patterns in parameters to not enforce length * Add check for IP addresses into DNS installer * Fix missing config.ips in promote_check * Abstract procedures for IP address warnings * Catch DNS exceptions during emptyzones named.conf upgrade * Start named during configuration upgrade. * Tests: extend DNS cmdline tests with lowercased record type * Show warning when net/broadcast IP address is used in installer * Allow multicast addresses in A/AAAA records * Allow broadcast ip addresses * Allow network ip addresses * Fix parse errors with link-local addresses * Fix ScriptError to always return string from __str__ * Bump master IPA devel version to 4.4.90 === Martin Kosek (1) === * Update Contributors.txt === Milan Kub?k (4) === * ipatests: Fix assert_deepequal outside of pytest process * ipatests: Implement tests with CSRs requesting SAN * ipatests: Fix name property on a service tracker * ipatests: provide context manager for keytab usage in RPC tests === Michal Reznik (1) === * test_csrgen: adjusted comparison test scripts for CSRGenerator === Michal ?idek (1) === * git: Add commit template === Nathaniel McCallum (3) === * Migrate OTP import script to python-cryptography * Use RemoveOnStop to cleanup systemd sockets * Properly handle LDAP socket closures in ipa-otpd === Oleg Fayans (45) === * Test: uniqueness of certificate renewal master * Test: basic kerberos over http functionality * Test: made kinit_admin a returning function * tests: Added basic tests for certs in idoverrides * Created idview tracker * Test for installing rules with service principals * Test: integration tests for certs in idoverrides feature * Added interface to certutil * Automated ipa-replica-manage del tests * tests: Automated clean-ruv subcommand tests * Reverted the essertion for replica uninstall returncode * Test: disabled wrong client domain tests for domlevel 0 * tests: Fixed code styling in caless tests to make pep8 happy * tests: Reverted erroneous asserts in 4 tests * tests: fixed certinstall method * tests: fixed super method invocation * tests: added verbose assert to test_service_disable_doesnt_revoke * tests: Standardized replica_preparation in test_no_certs * tests: Implemented check for domainlevel before installation verification * tests: Fixed Usage of improper certs in ca-less tests * tests: fixed expects of incorrect error messages * tests: Replaced unused setUp method with install * tests: Replaced hardcoded certutil with imported from paths * tests: Enabled negative testing for cleaning replication agreements * tests: Made unapply_fixes call optional at master uninstallation * tests: Updated master and replica installation methods to enable negative testing * tests: Added necessary xfails * tests: Added necessary getkeytabs calls to fixtures * tests: Removed outdated command options test * tests: Applied correct teardown methods * tests: Fixed incorrect assert in verify_installation * tests: Adapted installation methods to utilize methods from tasks * tests: Removed call for install method from parent class * tests: Added teardown methods for server and replica installation * tests: Create a method that cleans all ipa certs * tests: Updated ipa server installation stdin text * tests: Added generation of missing certs * tests: Added basic constraints extension to the CA certs * tests: Fixed method failures during second call for the method * Xfailed a test that fails due to 6250 * Fixed segment naming in topology tests * Xfailed the tests due to a known bug with replica preparation * Changed addressing to the client hosts to be replicas * Several fixes in replica_promotion tests * Removed incorrect check for returncode === Petr ?ech (1) === * ipatests: nested netgroups (intg) === Petr Spacek (126) === * ipa_generate_password algorithm change * Remove named-pkcs11 workarounds from DNSSEC tests. * Build: forbid builds in working directories containing white spaces * Build: always use Pylint from Python version used for rest of the build * Build: specify BuildRequires for Python 3 pylint * Build: makerpms.sh generates Python 2 & 3 packages at the same time * Accept server host names resolvable only using /etc/hosts * Build: properly integrate ipa.pot into build system tests * Build: properly integrate ipasetup.py into build system * Build: properly integrate version.py into build system * Build: properly integrate loader.js into build system * Build: properly integrate freeipa.spec.in into build system * Build: properly integrate ipa-version.h.in into build system * Build: workaround bug while calling parallel make from rpmbuild * Build: remove ipa.pot from Git as it can be re-generated at any time * Build: integrate translation system tests again * Build: automatically generate list of files to be translated in configure * Build: clean in po/ removes *~ files as well * Build: support strip-po target for translations * Build: use standard infrastructure for translations * Build: fix path in ipa-ods-exporter.socket unit file * Build: fix file dependencies for make-css.sh * Build: update makerpms.sh to use same paths as rpmbuild * Build: remove incorrect use of MAINTAINERCLEANFILES * Build: enable silent build in makerpms.sh * Build: support --enable-silent-rules for Python packages * Build: workaround bug 1005235 related to Python paths in auto-generated Requires * Build: document what should be in %install section of SPEC file * Build: move web UI file installation from SPEC to Makefile.am * Build: move server directory handling from SPEC to Makefile.am * Build: move client directory handling from SPEC to Makefile.am * Update man page for ipa-adtrust-install by removing --no-msdcs option * Build: pass down %{release} from SPEC to configure * Build: update IPA_VERSION_IS_GIT_SNAPSHOT to comply with PEP440 * Build: add make srpms target * Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version number on RPM build * Build: use POSIX 1003.1-1988 (ustar) file format for tar archives * Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source directory is Git repo * Build: remove unused and redundant code from configure.ac and po/Makefile.in * Build: fix make clean to remove build artifacts from top-level directory * Build: fix make clean for web UI * Build: add polint target for i18n tests * Build: add makeapi lint target * Build: add makeaci lint target * Build: add JS lint target * Build: add Python lint target * Build: remove obsolete instructions about BuildRequires from BUILD.txt * Build: add make rpms target and convenience script makerpms.sh * Build: fix KDC proxy installation and remove unused kdcproxy.conf * Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC * Build: do not compress manual pages at install time * Build: distribute doc directory * Build: create /var/run directories at install time * Build: integrate init and init/systemd into build system * Build: remove init/SystemV directory * Build: integrate contrib directory into build system * Build: remove ancient checks/check-ra.py * Build: integrate daemons/dnssec into build system * Build: fix distribution of daemons/ipa-slapi-plugins/topology files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files * Build: fix distribution of ipa-slapi-plugins/common files * Build: fix distribution of daemon/ipa-kdb files * Build: fix distribution of client header file * Build: fix distribution of asn1/asn1c files * Build: fix distribution of install/REDME.schema file * Build: fix distribution of oddjob files * Build: Remove spurious EXTRA_DIST from install/share/Makefile.am * Build: cleanup unused LDIFs from install/share * Build: fix distribution of libexec scripts * Build: fix distribution and installation of update LDIFs * Web UI: Remove offline version of Web UI * Build: fix distribution of static files for web UI * Build: stop build when a step in web UI build fails * Build: fix distribution and installation of static files in top-level directory * Build: fix man page distribution * Build: fix distdir target for translations * Build: rename project from ipa-server to freeipa * Build: remove non-existing README files from Makefile.am * Build: fix Makefile.am files to separate source and build directories * Build: respect --prefix for systemdsystemunitdir * Build: fix make install in asn1 subdirectory * Build: fix ipaplatform detection for out-of-tree builds * Build: Makefiles for Python packages * Build: fix module name in ipaserver/setup.py * Build: replace hand-made Makefile with one generated by Automake * Build: move version handling from Makefile to configure * Docs: update docs about ipaplatform to match reality * Build: replace ipaplatform magic with symlinks generated by configure * Build docs: update platform selection instructions * Build: split out egg-info Makefile target from version-update target * Build: split API/ACI checks into separate Makefile targets * Build: use default error handling for PKG_CHECK_MODULES * Build: use libutil convenience library for client * Build: cleanup INI library detection * Build: modernize XMLRPC-client library detection * Build: modernize CURL library detection * Build: modernize SASL library detection * Build: modernize POPT library detection * Build: merge client/configure.ac into top-level configure.ac * Build: remove Transifex support * Build: move translations from install/po/ to top-level po/ * Build: merge install/configure.ac into top-level configure.ac * Build: merge ipatests/man/configure.ac to top-level configure.ac * Build: merge asn1/configure.ac to top-level configure.ac * Build: transform util directory to libutil convenience library * Build: promote daemons/configure.ac to top-level configure.ac * Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c * Build: pass down LIBDIR definition from RPM SPEC to Makefile * Build: remove deprecated AC_STDC_HEADERS macro * Build: require Python >= 2.7 * Build: remove traces of mozldap library * Build: modernize crypto library detection * Build: modernize UUID library detection * Build: modernize Kerberos library detection * Build: add missing KRB5_LIBS to daemons/ipa-otpd * Tests: print what was expected from callables in xmlrpc_tests * DNS: Improve field descriptions for SRV records * DNS: Support URI resource record type * Fix compatibility with python-dns 1.15.0 * Raise errors from service.py:_ldap_mod() by default === Petr Vobornik (6) === * permissions: add permissions for read and mod of external group members * webui: do not warn about CAs if there is only one master * webui: fixes normalization of value in attributes widget * Change README to use Markdown * Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used * replicainstall: log ACI and LDAP errors in promotion check === Pavel Vomacka (69) === * Remove allow_constrained_delegation from gssproxy.conf * WebUI: Add support for management of user short name resolution * WebUI: add link to login page which for login using certificate * Support certificate login after installation and upgrade * TESTS WebUI: Vaults management * TESTS: Add support for sidebar with facets * TESTS: Add support for KRA in ui_driver * WebUI: add vault management * WebUI: allow to show rows with same pkey in tables * WebUI: search facet's default actions might be overriden * Add possibility to hide only one tab in sidebar * Possibility to set list of table attributes which will be added to _del command * Extend _show command after _find command in table facets * Add possibility to pass url parameter to update command of details page * Add property which allows refresh command to use url value * Added optional option in refreshing after modifying association table * Possibility to skip checking writable according to metadata * Allow to set another other_entity name * Additional option to add and del operations can be set * WebUI: Add cermapmatch module * WebUI: Add Adapter for certmap_match result table * WebUI: Possibility to choose object when API call returns list of objects * WebUI: Add possibility to turn of autoload when details.load is called * WebUI: don't change casing of Auth Indicators values * WebUI: Allow disabling lowering text in custom_checkbox_widget * Add support for custom table pagination size * Make singleton from config module * Add javascript integer validator * WebUI: Add certmap module * WebUI: Add Custom command multivalued adder dialog * WebUI: Create non editable row widget for mutlivalued widget * WebUI: Add possibility to set field always writable * WebUI: Change structure of Identity submenu * WebUI: add sizelimit:0 to cert-find * WebUI: fix incorrect behavior of ESC button on combobox * WebUI: add default on_cancel function in adder_dialog * Coverity: removed useless semicolon which ends statement earlier * Coverity: Fix possibility of access to attribute of undefined * Change activity text while loading metadata * Refactoring of rpc module * WebUI: update Patternfly and Bootstrap * WebUI: Hide incorrectly shown buttons on hosts tab in ID Views * Lowered the version of gettext * Add python-pyasn1-modules into dependencies * Adjustments for setup requirements v2 * TESTS: Update group type name * Coverity - null pointer dereference * Coverity - accessing attribute of variable which can point to null * Coverity - opens dialog which might not be created * Coverity - iterating over variable which could be null * Coverity - null pointer dereference * Coverity - true branch can't be executed * Coverity - true branch can't be executed * Coverity - removed dead code * Coverity - Accesing attribute of null * Coverity - identical code for different branches * Coverity - not initialized variable * Coverity - null pointer exception * Coverity - null pointer exception * WebUI: services without canonical name are shown correctly * WebUI: fix API Browser menu label * Add tooltip to all fields in DNS record adder dialog * WebUI: hide buttons in certificate widget according to acl * WebUI: Change group name from 'normal' to 'Non-POSIX' * WebUI: Add handling for HTTP error 404 * Add 'Restore' option to action dropdown menu * WebUI add support for sub-CAs while revoking certificates * WebUI: Fix showing certificates issued by sub-CA * Add support for additional options taken from table facet === Gabe (1) === * Allow nsaccountlock to be searched in user-find command === Simo Sorce (31) === * Store session cookie in a ccache option * Add support for searching policies in cn=accounts * Add code to retrieve results from multiple bases * Use GSS-SPNEGO if connecting locally * Limit sessions to 30 minutes by default * Remove non-sensical kdestroy on https stop * Fix session logout * Deduplicate session cookies in headers * Change session logout to kill only the cookie * Insure removal of session on identity change * Explicitly pass down ccache names for connections * Allow rpc callers to pass ccache and service names * Fix uninstall stopping ipa.service * Rationalize creation of RA and HTTPD NSS databases * Add a new user to run the framework code * Always use /etc/ipa/ca.crt as CA cert file * Simplify NSSDatabase password file handling * Separate RA cert store from the HTTP cert store * Configure HTTPD to work via Gss-Proxy * Use Anonymous user to obtain FAST armor ccache * Drop use of kinit_as_http from trust code * Generate tmpfiles config at install time * Change session handling * Use the tar Posix option for tarballs * Add compatibility code to retrieve headers * Configure Anonymous PKINIT on server install * Properly handle multiple cookies in rpc lib. * Properly handle multiple cookies in rpcclient * Support DAL version 5 and version 6 * Fix install scripts debugging * Fix error message encoding === Stanislav Laznicka (78) === * Remove pkinit from ipa-replica-prepare * Backup KDC certificate pair * Don't fail more if cert req/cert creation failed * Fix ipa-replica-prepare server-cert creation * Don't allow standalone KRA uninstalls * Add message about last KRA to WebUI Topology view * Add check to prevent removal of last KRA * Don't use weak ciphers for client HTTPS connections * We don't offer no quickies * Fix cookie with Max-Age processing * Fix CA-less upgrade * Fix replica with --setup-ca issues * Moving ipaCert from HTTPD_ALIAS_DIR * Added a PEMFileHandler for Custodia store * Refactor certmonger for OpenSSL certificates * Workaround for certmonger's "Subject" representations * Remove ipapython.nsslib as it is not used anymore * Remove NSSConnection from otptoken plugin * Remove pkcs12 handling functions from CertDB * Remove NSSConnection from Dogtag * Move publishing of CA cert to cainstance creation on master * Don't run kra.configure_instance if not necessary * Move RA agent certificate file export to a different location * Remove NSSConnection from the Python RPC module * Remove md5_fingerprints from IPA * Remove DM password files after successfull pkispawn run * Remove ra_db argument from CAInstance init * Fix ipa-server-upgrade * Use newer Certificate.serial_number in krainstance.py * Fix error in ca_cert_files validator * Don't prepend option names with additional '--' * Bump python-cryptography version in ipasetup.py.in * custodiainstance: don't use IPA-specific CertDB * Add password to certutil calls in NSSDatabase * Explicitly remove support of SSLv2/3 * Add FIPS-token password of HTTPD NSS database * Bump required python-cryptography version * Remove is_fips_enabled checks in installers and ipactl * Generate sha256 ssh pubkey fingerprints for hosts * Unify password generation across FreeIPA * Clarify meaning of --domain and --realm in installers * replicainstall: give correct error message on DL mismatch * Fix permission-find with sizelimit set * Generalize filter generation in LDAPSearch * permission-find: fix a sizelimit off-by-one bug * fix permission_find fail on low search size limit * Make get_entries() not ignore its limit arguments * Do not log DM password in ca/kra installation logs * Fix CA replica install on DL1 * Offer more general way to check domain level in replicainstall * Use same means of checking replication agreements on both DLs * replicainstall: move common checks to common_check() * Take advantage of the ca/kra code cleanup in replica installation * Use updated CA certs in replica installation * Use os.path.join instead of concatenation * Remove redundant CA cert file existance check * Use host keytab to connect to remote server on DL0 * Split install_http_certs() into two functions * First step of merging replica installation of both DLs * Properly bootstrap replica promotion api * Move the pki-tomcat restart to cainstance creation * Move httpd restart to DNS installation * Import just IPAChangeConf instead of the whole module * Added file permissions option to IPAChangeConf.newConf() * Fix to ipachangeconf docstrings * replicainstall: Unify default.conf file creation * Replaced EMPTY_LINE constant with a function call * client: Making the configure functions more readable * Moved update of DNA plugin among update plugins * Move ds.replica_populate to an update plugin * Remove redundant dsinstance restart * Fix missing file that fails DL1 replica installation * Make httpd publish its CA certificate on DL1 * Make installer quit more nicely on external CA installation * Fix test_util.test_assert_deepequal test * Pretty-print structures in assert_deepequal * Remove update_from_dict() method * Updated help/man information about hostname === Thierry Bordaz (1) === * IPA Allows Password Reuse with History value defined when admin resets the password. === Timo Aaltonen (8) === * ipaplatform/debian/paths: Add some missing values. * ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB. * ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY. * ipaplatform/debian/services: Fix is_running arguments. * ipaplatform: Add Debian platform module. * client, platform: Use paths.SSH* instead of get_config_dir(). * Move ipa-otpd to $libexecdir/ipa * Purge obsolete firefox extension === Tomas Krizek (68) === * installer: update time estimates * server install: require IPv6 stack to be enabled * Add SHA256 fingerprints for certs * man: update ipa-cacert-manage * test_config: fix fips_mode key in Env * Env __setitem__: replace assert with exception * FIPS: perform replica installation check * replicainstall: add context manager for rpc client * check_remote_version: update exception and docstring * test_config: fix tests for env.fips_mode * Add fips_mode variable to env * Bump required version of bind-dyndb-ldap to 11.0-2 * bindinstance: fix named.conf parsing regexs * PEP8: fix line length for regexs in bindinstance * bump required version of BIND, bind-dyndb-ldap * named.conf template: update API for bind 9.11 * Remove obsolete serial_autoincrement from named.conf parsing * certdb: remove unused valid_months property * certdb: remove unused keysize property * Fix coverity issue * ipautil: check for open ports on all resolved IPs * replica-conncheck: improve message logging * replica-conncheck: improve error message during replicainstall * ipa-replica-conncheck: fix race condition * ipa-replica-conncheck: do not close listening ports until required * upgrade: ldap conn management * services: replace admin_conn with api.Backend.ldap2 * upgrade: do not explicitly set principal for services * Build: ignore rpmbuild for lint target * cainstance: use correct certificate for replica install check * dns: check if container exists using ldapi * ipaldap: remove do_bind from LDAPClient * gitignore: ignore tar ball * libexec scripts: ldap conn management * ldap2: modify arguments for create_connection * replicainstall: use ldap_uri in ReplicationManager * replicainstall: correct hostname in ReplicationManager * install tools: ldap conn management * ldap2: change default bind_dn * ipa-adtrust-install: ldap conn management * install: remove adhoc dis/connect from services * ldapupdate: use ldapi in LDAPUpdate * replicainstall: properly close adhoc connection in promote * install: ldap conn management * install: remove adhoc api.Backend.ldap2 (dis)connect * install: add restart_dirsrv for directory server restarts * upgradeinstance: ldap conn management * dsinstance: conn management * ldap2: change default time/size limit * cainstall: add dm_password to CA installation * replicainstall: set ldapi uri in replica promotion * dsinstance: enable ldapi and autobind in ds * install: remove dirman_pw from services * ipaldap: merge IPAdmin to LDAPClient * ipaldap: merge gssapi_bind to LDAPClient * ipaldap: merge external_bind into LDAPClient * ipaldap: merge simple_bind into LDAPClient * ipaldap: remove wait/timeout during binds * ipa: check if provided config file exists * ipa: allow relative paths for config file * Prompt for forwarder in dnsforwardzone-add * Update man/help for --server option * Update ipa-server-install man page for hostname * Add help info about certificate revocation reasons * Add log messages for IP checks during client install * Show error message for invalid IPs in client install * Keep NSS trust flags of existing certificates * Don't show error messages in bash completion === Thorsten Scherf (2) === * added ssl verification using IPA trust anchor * added help about default value for --external-ca-type option === shanyin (1) === * fix missing translation string -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Wed Mar 15 18:48:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 19:48:53 +0100 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] WIP: Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: WIP: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 18677 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 15 18:49:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Mar 2017 19:49:15 +0100 Subject: [Freeipa-devel] [freeipa PR#593][edited] WIP: Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: WIP: Add make patchcheck for developers Action: edited Changed field: title Original value: """ WIP: Add make patchcheck for developers """ From freeipa-github-notification at redhat.com Thu Mar 16 06:06:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Mar 2017 07:06:01 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ @MartinBasti, it is an internal, user invisible API. @LiptonB, it is OK to change it. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-286966192 From freeipa-github-notification at redhat.com Thu Mar 16 06:45:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 07:45:24 +0100 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 17044 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 08:39:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 09:39:11 +0100 Subject: [Freeipa-devel] [freeipa PR#605][+ack] Set development version to 4.5.90 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 Label: +ack From freeipa-github-notification at redhat.com Thu Mar 16 08:41:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 09:41:35 +0100 Subject: [Freeipa-devel] [freeipa PR#604][+ack] [4.5] Set zanata version to ipa-4-5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 Label: +ack From freeipa-github-notification at redhat.com Thu Mar 16 08:49:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 09:49:08 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ This PR must be merged into 4.5 ASAP. Without the fix it is not possible to define proper SELinux policies for ipa-custodia and stand-alone custodia. """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-286993273 From freeipa-github-notification at redhat.com Thu Mar 16 08:58:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 16 Mar 2017 09:58:11 +0100 Subject: [Freeipa-devel] [freeipa PR#606][opened] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Author: tomaskrizek Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Action: opened PR body: """ Rebased patch for ipa-4-4. It's already in F26/rawhide. Oiginal PR: #410 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/606/head:pr606 git checkout pr606 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-606.patch Type: text/x-diff Size: 13199 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 09:02:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 10:02:33 +0100 Subject: [Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add placeholder and IPA commands packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-379.patch Type: text/x-diff Size: 12208 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 09:02:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 10:02:48 +0100 Subject: [Freeipa-devel] [freeipa PR#379][edited] Packaging: Add IPA commands package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add IPA commands package Action: edited Changed field: title Original value: """ Packaging: Add placeholder and IPA commands packages """ From freeipa-github-notification at redhat.com Thu Mar 16 09:03:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 10:03:23 +0100 Subject: [Freeipa-devel] [freeipa PR#379][-postponed] Packaging: Add IPA commands package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add IPA commands package Label: -postponed From freeipa-github-notification at redhat.com Thu Mar 16 09:34:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 10:34:58 +0100 Subject: [Freeipa-devel] [freeipa PR#607][opened] Backup ipa-specific httpd unit-file Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: opened PR body: """ On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. https://pagure.io/freeipa/issue/6748 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-607.patch Type: text/x-diff Size: 1036 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 09:36:29 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:36:29 +0100 Subject: [Freeipa-devel] [freeipa PR#605][+pushed] Set development version to 4.5.90 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 16 09:36:32 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:36:32 +0100 Subject: [Freeipa-devel] [freeipa PR#605][comment] Set development version to 4.5.90 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 pvomacka commented: """ master: * 9ac62bec44b642838cbb175d94efd90acb417ecc Set development version to 4.5.90 """ See the full comment at https://github.com/freeipa/freeipa/pull/605#issuecomment-287004023 From freeipa-github-notification at redhat.com Thu Mar 16 09:36:35 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:36:35 +0100 Subject: [Freeipa-devel] [freeipa PR#605][closed] Set development version to 4.5.90 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/605 Author: MartinBasti Title: #605: Set development version to 4.5.90 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/605/head:pr605 git checkout pr605 From freeipa-github-notification at redhat.com Thu Mar 16 09:39:43 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:39:43 +0100 Subject: [Freeipa-devel] [freeipa PR#604][+pushed] [4.5] Set zanata version to ipa-4-5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 16 09:39:47 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:39:47 +0100 Subject: [Freeipa-devel] [freeipa PR#604][comment] [4.5] Set zanata version to ipa-4-5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 pvomacka commented: """ ipa-4-5: * a1f2754f18f93752f97d14168b74fb0f299d795d Set zanata version to ipa-4-5 """ See the full comment at https://github.com/freeipa/freeipa/pull/604#issuecomment-287004757 From freeipa-github-notification at redhat.com Thu Mar 16 09:39:49 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 16 Mar 2017 10:39:49 +0100 Subject: [Freeipa-devel] [freeipa PR#604][closed] [4.5] Set zanata version to ipa-4-5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/604 Author: MartinBasti Title: #604: [4.5] Set zanata version to ipa-4-5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/604/head:pr604 git checkout pr604 From freeipa-github-notification at redhat.com Thu Mar 16 09:57:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 10:57:57 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file tiran commented: """ LGTM Did you check if there are more files missing after backup, uninstall, restore? You could use ```find /etc /usr /var >before_uninstall``` before uninstall and after restore, then compare the files with diff. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287009174 From freeipa-github-notification at redhat.com Thu Mar 16 11:01:20 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Mar 2017 12:01:20 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1220 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 11:02:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Mar 2017 12:02:01 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ @MartinBasti can we push this ? It makes a big difference in framework performance and load on the KDC """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287024418 From freeipa-github-notification at redhat.com Thu Mar 16 11:08:31 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Mar 2017 12:08:31 +0100 Subject: [Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-543.patch Type: text/x-diff Size: 1220 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 11:24:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 12:24:44 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ Thanks, @tiran, this is a good idea, I noticed also KDCProxy conf symlink was missing. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287029314 From freeipa-github-notification at redhat.com Thu Mar 16 11:26:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 12:26:45 +0100 Subject: [Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-607.patch Type: text/x-diff Size: 1456 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 11:27:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Mar 2017 12:27:25 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file tiran commented: """ The symlink is generated by a script when httpd is started. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287029814 From freeipa-github-notification at redhat.com Thu Mar 16 11:41:55 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 12:41:55 +0100 Subject: [Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-607.patch Type: text/x-diff Size: 1136 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 11:42:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 12:42:13 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ Ah, right. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287032822 From freeipa-github-notification at redhat.com Thu Mar 16 12:10:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Mar 2017 13:10:09 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching martbab commented: """ I think that we have all dependencies in spec already so I do not see a reason not to. """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287038339 From freeipa-github-notification at redhat.com Thu Mar 16 12:10:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Mar 2017 13:10:21 +0100 Subject: [Freeipa-devel] [freeipa PR#543][+ack] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +ack From freeipa-github-notification at redhat.com Thu Mar 16 12:11:11 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Mar 2017 13:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#543][+pushed] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 16 12:11:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Mar 2017 13:11:14 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching martbab commented: """ master: * 4ee7e4ee6d6500d8b8935c9033388adc4cdbe672 Add options to allow ticket caching """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287038542 From freeipa-github-notification at redhat.com Thu Mar 16 12:11:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Mar 2017 13:11:16 +0100 Subject: [Freeipa-devel] [freeipa PR#543][closed] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From freeipa-github-notification at redhat.com Thu Mar 16 12:52:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Mar 2017 13:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#608][opened] tasks: run `systemctl daemon-reload` after httpd.service.d updates Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: opened PR body: """ Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing GSS_USE_PROXY=yes in httpd environment. https://pagure.io/freeipa/issue/6773 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-608.patch Type: text/x-diff Size: 1796 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 12:52:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Mar 2017 13:52:50 +0100 Subject: [Freeipa-devel] [freeipa PR#608][synchronized] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-608.patch Type: text/x-diff Size: 1798 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 12:53:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Mar 2017 13:53:12 +0100 Subject: [Freeipa-devel] [freeipa PR#608][edited] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: edited Changed field: body Original value: """ Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing GSS_USE_PROXY=yes in httpd environment. https://pagure.io/freeipa/issue/6773 """ From freeipa-github-notification at redhat.com Thu Mar 16 14:04:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Mar 2017 15:04:33 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features MartinBasti commented: """ I assume that this is not WIP anymore then """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287066488 From freeipa-github-notification at redhat.com Thu Mar 16 15:22:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:22:19 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ We need to perform `paths.SYSTEMCTL --system daemon-reload` here as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287091722 From freeipa-github-notification at redhat.com Thu Mar 16 15:30:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:30:49 +0100 Subject: [Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-607.patch Type: text/x-diff Size: 1638 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 15:40:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:40:56 +0100 Subject: [Freeipa-devel] [freeipa PR#609][opened] [4.4] Fix cookie with Max-Age processing Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: opened PR body: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-609.patch Type: text/x-diff Size: 2965 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 15:41:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:41:05 +0100 Subject: [Freeipa-devel] [freeipa PR#609][edited] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: edited Changed field: body Original value: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce """ From freeipa-github-notification at redhat.com Thu Mar 16 15:41:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:41:25 +0100 Subject: [Freeipa-devel] [freeipa PR#609][synchronized] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-609.patch Type: text/x-diff Size: 2920 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 15:48:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Mar 2017 16:48:51 +0100 Subject: [Freeipa-devel] [freeipa PR#610][opened] [4.3] Fix cookie with Max-Age processing Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Author: stlaz Title: #610: [4.3] Fix cookie with Max-Age processing Action: opened PR body: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/610/head:pr610 git checkout pr610 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-610.patch Type: text/x-diff Size: 2920 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 16 21:23:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Mar 2017 22:23:01 +0100 Subject: [Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing MartinBasti commented: """ Please open a new ticket `Backport ...`. Ticket you used is closed in closed milestone """ See the full comment at https://github.com/freeipa/freeipa/pull/610#issuecomment-287195160 From freeipa-github-notification at redhat.com Fri Mar 17 07:13:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 08:13:02 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features martbab commented: """ @tiran we first need a copr build on F25 to unblock Travis CI. Can you provide a copr repo and modify test runner config to add it during builddep phase? """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287283578 From freeipa-github-notification at redhat.com Fri Mar 17 07:24:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 08:24:45 +0100 Subject: [Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 martbab commented: """ Since the original ticket is in already closed milestone open a separate one for backport to 4-4 branch please. """ See the full comment at https://github.com/freeipa/freeipa/pull/606#issuecomment-287285298 From freeipa-github-notification at redhat.com Fri Mar 17 07:38:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 08:38:50 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ I have one small question and am going to try out some integration tests to see if we did not break something in them as Travis won't catch that. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-287287386 From freeipa-github-notification at redhat.com Fri Mar 17 07:58:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 08:58:19 +0100 Subject: [Freeipa-devel] [freeipa PR#611][opened] Add debug log in case cookie retrieval went wrong Message-ID: URL: https://github.com/freeipa/freeipa/pull/611 Author: stlaz Title: #611: Add debug log in case cookie retrieval went wrong Action: opened PR body: """ When backporting the fix, @MartinBasti pointed out we could use a debug log. https://pagure.io/freeipa/issue/6774 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/611/head:pr611 git checkout pr611 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-611.patch Type: text/x-diff Size: 962 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 08:00:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 09:00:33 +0100 Subject: [Freeipa-devel] [freeipa PR#610][synchronized] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Author: stlaz Title: #610: [4.3] Fix cookie with Max-Age processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/610/head:pr610 git checkout pr610 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-610.patch Type: text/x-diff Size: 3891 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 08:00:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 09:00:58 +0100 Subject: [Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing stlaz commented: """ The ticket's already there, I just recycled the old commit message and forgot to replace it. """ See the full comment at https://github.com/freeipa/freeipa/pull/610#issuecomment-287290891 From freeipa-github-notification at redhat.com Fri Mar 17 08:02:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 09:02:10 +0100 Subject: [Freeipa-devel] [freeipa PR#609][synchronized] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-609.patch Type: text/x-diff Size: 3891 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 08:04:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 09:04:09 +0100 Subject: [Freeipa-devel] [freeipa PR#612][opened] [4.5] Add debug log in case cookie retrieval went wrong Message-ID: URL: https://github.com/freeipa/freeipa/pull/612 Author: stlaz Title: #612: [4.5] Add debug log in case cookie retrieval went wrong Action: opened PR body: """ https://pagure.io/freeipa/issue/6774 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/612/head:pr612 git checkout pr612 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-612.patch Type: text/x-diff Size: 962 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 08:12:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Mar 2017 09:12:59 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features MartinBasti commented: """ @martbab I will test it manually (when I receive f25/F26 rpms), if works then I will update master copr """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287292769 From freeipa-github-notification at redhat.com Fri Mar 17 08:28:33 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 09:28:33 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features martbab commented: """ @MartinBasti ok there should be no problems with that (built it on F25 VM but threw it away afterwards, oh well) """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287295476 From freeipa-github-notification at redhat.com Fri Mar 17 09:04:38 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 17 Mar 2017 10:04:38 +0100 Subject: [Freeipa-devel] [freeipa PR#606][synchronized] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Author: tomaskrizek Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/606/head:pr606 git checkout pr606 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-606.patch Type: text/x-diff Size: 13191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 09:05:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 17 Mar 2017 10:05:32 +0100 Subject: [Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 tomaskrizek commented: """ Created the ticket and linked it in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/606#issuecomment-287302249 From freeipa-github-notification at redhat.com Fri Mar 17 09:42:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 10:42:54 +0100 Subject: [Freeipa-devel] [freeipa PR#613][opened] Constrain wheel package versions Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Author: tiran Title: #613: Constrain wheel package versions Action: opened PR body: """ The presence of IPA packages on PyPI revealed an interesting issue with make wheel_bundle. pip gives final releases a higher precedence than our development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI instead of using our own wheels. Use a constraint file to enforce correct versions. https://pagure.io/freeipa/issue/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/613/head:pr613 git checkout pr613 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-613.patch Type: text/x-diff Size: 2725 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 09:43:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 10:43:35 +0100 Subject: [Freeipa-devel] [freeipa PR#614][opened] Constrain wheel package versions Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Author: tiran Title: #614: Constrain wheel package versions Action: opened PR body: """ The presence of IPA packages on PyPI revealed an interesting issue with make wheel_bundle. pip gives final releases a higher precedence than our development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI instead of using our own wheels. Use a constraint file to enforce correct versions. https://pagure.io/freeipa/issue/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/614/head:pr614 git checkout pr614 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-614.patch Type: text/x-diff Size: 2725 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 09:43:44 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 10:43:44 +0100 Subject: [Freeipa-devel] [freeipa PR#608][+ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: +ack From freeipa-github-notification at redhat.com Fri Mar 17 09:43:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 17 Mar 2017 10:43:49 +0100 Subject: [Freeipa-devel] [freeipa PR#615][opened] httpinstance: clean up /etc/httpd/alias on uninstall Message-ID: URL: https://github.com/freeipa/freeipa/pull/615 Author: HonzaCholasta Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Action: opened PR body: """ **certs: do not implicitly create DS pin.txt** Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create it explicitly in `DSInstance.__enable_ssl()`. This stops the file from being created in /etc/httpd/alias during classic replica install. **httpinstance: clean up /etc/httpd/alias on uninstall** Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias from backup on uninstall. Files modified by IPA are kept with .ipasave suffix. https://pagure.io/freeipa/issue/4639 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/615/head:pr615 git checkout pr615 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-615.patch Type: text/x-diff Size: 4116 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 09:49:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 10:49:02 +0100 Subject: [Freeipa-devel] [freeipa PR#616][opened] Simplify KRA transport cert cache Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: opened PR body: """ In-memory cache causes problem in forking servers. A file based cache is good enough. It's easier to understand and avoids performance regression and synchronization issues when cert becomes out-of-date. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-616.patch Type: text/x-diff Size: 7075 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 09:49:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 10:49:17 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache tiran commented: """ Needs to be merged into ipa-4.5 branch, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287311164 From freeipa-github-notification at redhat.com Fri Mar 17 09:53:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 10:53:18 +0100 Subject: [Freeipa-devel] [freeipa PR#614][edited] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Author: tiran Title: #614: [4.5] Constrain wheel package versions Action: edited Changed field: title Original value: """ Constrain wheel package versions """ From freeipa-github-notification at redhat.com Fri Mar 17 09:53:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 17 Mar 2017 10:53:46 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ NACK on the completely unnecessary changes in `_TransportCertCache` interface, variable names and formatting. Otherwise LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287312193 From freeipa-github-notification at redhat.com Fri Mar 17 09:54:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Mar 2017 10:54:00 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache MartinBasti commented: """ Please open backport ticket and put it into commit messsage """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287312239 From freeipa-github-notification at redhat.com Fri Mar 17 09:54:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Mar 2017 10:54:31 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache MartinBasti commented: """ Please open backport ticket and put it into commit messsage """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287312239 From freeipa-github-notification at redhat.com Fri Mar 17 10:00:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 11:00:01 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ I had some issues with build system yesterday. For some reason ```python2-python-etcd``` dependency was missing dependency on ```etcd```. I'm glad time heals all wounds (or some devs *g*). F25 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429524 F26 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429570 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287313565 From freeipa-github-notification at redhat.com Fri Mar 17 10:08:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 11:08:01 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache tiran commented: """ @HonzaCholasta I don't agree with you. Mutable mapping is too complex for a simple cache. My approach is KISS. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287315292 From freeipa-github-notification at redhat.com Fri Mar 17 10:10:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 11:10:32 +0100 Subject: [Freeipa-devel] [freeipa PR#616][synchronized] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-616.patch Type: text/x-diff Size: 6975 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Mar 17 11:14:58 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Mar 2017 12:14:58 +0100 Subject: [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1 Message-ID: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25 updates-testing yesterday.[1] I have already provided negative karma as the update broke CA clone deployment on FreeIPA replica install. It would be nice if you could test it and provide +1/-1 ASAP so that we can push it out before it hits stable and give Matthew a change to privode fixes. I would also like to ask PKI developers to not hesitate to approach us to provide early feedback to the new updates and/or set up some sort of CI for them if possible. [1] https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c6007b406 -- Martin Babinsky From freeipa-github-notification at redhat.com Fri Mar 17 11:18:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 12:18:14 +0100 Subject: [Freeipa-devel] [freeipa PR#608][-ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: -ack From freeipa-github-notification at redhat.com Fri Mar 17 11:21:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 12:21:14 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ Hmmm I just caught a following error during FreeIPA replica uninstall: ```console[root at replica1 ~]# ipa-server-install --uninstall -U Updating DNS system records -------------------------------------- Deleted IPA server "replica1.ipa.test" -------------------------------------- Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring web server ipa : ERROR Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1 ``` see the excerpt of the uninstall log here: https://paste.fedoraproject.org/paste/TcHWFTK-TwNhO0v6~BBMG15M1UNdIGYhyRLivL9gydE=/ It looks like we need another daemon-reload in the Apache uninstallation. Although I don't see any reason to add it, it looks like some restore operations make systemd unhappy. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-287329708 From freeipa-github-notification at redhat.com Fri Mar 17 12:24:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 13:24:44 +0100 Subject: [Freeipa-devel] [freeipa PR#616][synchronized] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-616.patch Type: text/x-diff Size: 7108 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 13:17:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Mar 2017 14:17:07 +0100 Subject: [Freeipa-devel] [freeipa PR#617][opened] Allow renaming of sudo rules Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo rules Action: opened PR body: """ This simple hack adds a rename option to client side sudorule-mod command. https://pagure.io/freeipa/issue/2466 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-617.patch Type: text/x-diff Size: 1731 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 13:19:00 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 14:19:00 +0100 Subject: [Freeipa-devel] [freeipa PR#475][+ack] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests Label: +ack From freeipa-github-notification at redhat.com Fri Mar 17 13:50:55 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 17 Mar 2017 14:50:55 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo rules abbra commented: """ I don't like it is done on the client side. This will not work for Web UI, for example. Additionally, no validation of cn={newname} is here to be a single value RDN. If we add this as --setattr, we probably want to return meaningful error, not a general --setattr error. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-287358727 From freeipa-github-notification at redhat.com Fri Mar 17 14:04:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 15:04:41 +0100 Subject: [Freeipa-devel] [freeipa PR#475][+pushed] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 17 14:04:44 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 15:04:44 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ master: * fd1b4f6ec9a349196d5df510008c4745f0b1fb84 Add options to run only ipaclient unittests ipa-4-5: * 29b885a8fac82e963f5ab98d178e81854056930e Add options to run only ipaclient unittests """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-287362273 From freeipa-github-notification at redhat.com Fri Mar 17 14:04:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Mar 2017 15:04:47 +0100 Subject: [Freeipa-devel] [freeipa PR#475][closed] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 From freeipa-github-notification at redhat.com Fri Mar 17 14:22:35 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 17 Mar 2017 15:22:35 +0100 Subject: [Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-470.patch Type: text/x-diff Size: 2767 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 14:40:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 15:40:47 +0100 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 5909 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 14:41:21 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 15:41:21 +0100 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ All dependencies have been merged. PR is ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325 From lslebodn at redhat.com Fri Mar 17 16:02:13 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 17 Mar 2017 17:02:13 +0100 Subject: [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1 In-Reply-To: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> References: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> Message-ID: <20170317160212.GA4265@10.4.128.1> On (17/03/17 12:14), Martin Babinsky wrote: >A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25 >updates-testing yesterday.[1] > It was also pushed to fedora26 https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1 >I have already provided negative karma as the update broke CA clone deployment >on FreeIPA replica install. > >It would be nice if you could test it and provide +1/-1 ASAP so that we can >push it out before it hits stable and give Matthew a change to privode fixes. > The fastest will be if it will be unpushed by fedora maintainer Adding mharmsen to CC. LS From freeipa-github-notification at redhat.com Fri Mar 17 16:23:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 17:23:12 +0100 Subject: [Freeipa-devel] [freeipa PR#613][synchronized] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Author: tiran Title: #613: Constrain wheel package versions Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/613/head:pr613 git checkout pr613 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-613.patch Type: text/x-diff Size: 2725 bytes Desc: not available URL: From mharmsen at redhat.com Fri Mar 17 16:34:17 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 17 Mar 2017 10:34:17 -0600 Subject: [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1 In-Reply-To: <20170317160212.GA4265@10.4.128.1> References: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> <20170317160212.GA4265@10.4.128.1> Message-ID: On 03/17/2017 10:02 AM, Lukas Slebodnik wrote: > On (17/03/17 12:14), Martin Babinsky wrote: >> A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25 >> updates-testing yesterday.[1] >> > It was also pushed to fedora26 > https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1 > >> I have already provided negative karma as the update broke CA clone deployment >> on FreeIPA replica install. >> >> It would be nice if you could test it and provide +1/-1 ASAP so that we can >> push it out before it hits stable and give Matthew a change to privode fixes. >> > The fastest will be if it will be unpushed by fedora maintainer > Adding mharmsen to CC. > > LS Lukas and Martin, After speaking with some members of the PKI team, I have unpushed both the F25 and F26 builds from Bodhi. The following unresolved issues on cloning were documented in: * dogtagpki Pagure Issue #2336 - IPA Replica CA configuration failed Clone does not have all the required certificates Was this the same cloning failure that you were seeing? If not, please file a detailed Pagure Issue describing the failure complete with log attachment. As for the vault issue, we may have an idea on this as the code in that area has been changing. Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Mar 17 16:34:22 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 17:34:22 +0100 Subject: [Freeipa-devel] [freeipa PR#618][opened] [WIP] Tox testing support for client wheel packages Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: opened PR body: """ Depends on PR #613 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9499 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 17:22:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 18:22:48 +0100 Subject: [Freeipa-devel] [freeipa PR#619][opened] pytest 3.x compatibility Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Author: tiran Title: #619: pytest 3.x compatibility Action: opened PR body: """ pytest 3.x does no longer support plain pytest.skip() on module level. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/619/head:pr619 git checkout pr619 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-619.patch Type: text/x-diff Size: 4478 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 17:24:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 18:24:49 +0100 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 13885 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 17:32:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 18:32:01 +0100 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 16541 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 18:32:44 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 17 Mar 2017 19:32:44 +0100 Subject: [Freeipa-devel] [freeipa PR#620][opened] [WIP] Fixing 6549 Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: opened PR body: """ In order to fix https://pagure.io/freeipa/issue/6549. First of all, I tried at `ipaserver/server/install/replicainstall.py:1393`: ```python try: domain_level = current_domain_level(remote_api) if domain_level != 0: conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password, cacert=cafile) else: conn.connect(ccache=ccache) ``` However, the current_domain_level method was raising this exception: ``` ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR ldap2 is not connected (ldap2_140240602559056 in MainThread) ``` So, I created a connection first, then I check the domain level. If the domain level is 0 the connection is already created properly. If the domain level is not 0, then it should create using the ccache (how it was before). This PR fixes the error specified at the [bug #6549](https://pagure.io/freeipa/issue/6549), however it doesn't fix the entire ipa-replica-install process. This is the output when running `sudo ipa-replica-install replica-info-vm-058-186.abc.idm.lab.eng.brq.redhat.com.gpg --skip-conncheck` ``` WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: enabling ldapi [4/44]: configure autobind for root [5/44]: stopping directory server [6/44]: updating configuration in dse.ldif [7/44]: starting directory server [8/44]: adding default schema [9/44]: enabling memberof plugin [10/44]: enabling winsync plugin [11/44]: configuring replication version plugin [12/44]: enabling IPA enrollment plugin [13/44]: configuring uniqueness plugin [14/44]: configuring uuid plugin [15/44]: configuring modrdn plugin [16/44]: configuring DNS plugin [17/44]: enabling entryUSN plugin [18/44]: configuring lockout plugin [19/44]: configuring topology plugin [20/44]: creating indices [21/44]: enabling referential integrity plugin [22/44]: configuring TLS for DS instance [23/44]: configuring certmap.conf [24/44]: configure new location for managed entries [25/44]: configure dirsrv ccache [26/44]: enabling SASL mapping fallback [27/44]: restarting directory server [28/44]: creating DS keytab [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 6 seconds elapsed Update succeeded [30/44]: adding sasl mappings to the directory [31/44]: updating schema [32/44]: setting Auto Member configuration [33/44]: enabling S4U2Proxy delegation [34/44]: importing CA certificates from LDAP [35/44]: initializing group membership [36/44]: adding master entry [37/44]: initializing domain level [38/44]: configuring Posix uid/gid generation [39/44]: adding replication acis [40/44]: enabling compatibility plugin [41/44]: activating sidgen plugin [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Restarting directory server to enable password extension plugin Configuring the web interface (httpd) [1/22]: setting mod_nss port to 443 [2/22]: setting mod_nss cipher suite [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/22]: setting mod_nss password file [5/22]: enabling mod_nss renegotiate [6/22]: adding URL rewriting rules [7/22]: configuring httpd [8/22]: setting up httpd keytab [9/22]: retrieving anonymous keytab [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-620.patch Type: text/x-diff Size: 1195 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 20:05:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Mar 2017 21:05:22 +0100 Subject: [Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility MartinBasti commented: """ ``` ************* Module ipatests.util ipatests/util.py:73: [E1123(unexpected-keyword-arg), check_ipaclient_unittests] Unexpected keyword argument 'allow_module_level' in constructor call) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/619#issuecomment-287457701 From freeipa-github-notification at redhat.com Fri Mar 17 20:27:53 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 17 Mar 2017 21:27:53 +0100 Subject: [Freeipa-devel] [freeipa PR#620][synchronized] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-620.patch Type: text/x-diff Size: 2434 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 17 20:50:45 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Mar 2017 21:50:45 +0100 Subject: [Freeipa-devel] [freeipa PR#619][synchronized] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Author: tiran Title: #619: pytest 3.x compatibility Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/619/head:pr619 git checkout pr619 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-619.patch Type: text/x-diff Size: 4588 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Mar 18 15:46:42 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Sat, 18 Mar 2017 16:46:42 +0100 Subject: [Freeipa-devel] [freeipa PR#621][opened] Add --force-password-reset to user_mod in user.py Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: opened PR body: """ - Allows an admin to easily force a user to expire their password forcing them to change it. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 5485 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Mar 18 17:08:54 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Sat, 18 Mar 2017 18:08:54 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ I would prefer this to be an option in `ipa passwd`, e.g. `ipa passwd --force-reset` which instead of modifying a user password would modify krbPasswordExpiration value. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287559962 From freeipa-github-notification at redhat.com Mon Mar 20 06:20:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 07:20:50 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ @tiran, * patches targeted at backport branches should be as small as possible, * it's hard to see what is an actual change and what is just a formatting / naming change, * the formatting changes do not add any value, the code is already PEP8 compliant, * using a mapping interface is KISS too. I don't think this needs to be discussed further, either do the requested changes or this PR won't be merged. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287685144 From freeipa-github-notification at redhat.com Mon Mar 20 06:46:47 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 07:46:47 +0100 Subject: [Freeipa-devel] [freeipa PR#622][opened] replica prepare: fix wrong IPA CA nickname in replica file Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Author: HonzaCholasta Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Action: opened PR body: """ Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/622/head:pr622 git checkout pr622 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-622.patch Type: text/x-diff Size: 2037 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 06:57:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 07:57:51 +0100 Subject: [Freeipa-devel] [freeipa PR#623][opened] client install: do not assume /etc/krb5.conf.d exists Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: opened PR body: """ Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if /etc/krb5.conf.d exists. This fixes client install on platforms which do not have /etc/krb5.conf.d. https://pagure.io/freeipa/issue/6589 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-623.patch Type: text/x-diff Size: 1361 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 07:49:28 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 08:49:28 +0100 Subject: [Freeipa-devel] [freeipa PR#624][opened] Use connection keep-alive Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Author: tiran Title: #624: Use connection keep-alive Action: opened PR body: """ Do not forcefully close the connection after every request. This enables HTTP connection keep-alive, also known as persistent TCP and TLS/SSL connection. Keep-alive speed up consecutive HTTP requests by 15% (for local, low-latency network connections to a fast server) to multiple times (high latency connections or remote peers). pache has a default keep alive timeout of 5 seconds. That's too low for interactive commands, e.g. password prompts. 30 seconds sounds like a good compromise. https://pagure.io/freeipa/issue/6641 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/624/head:pr624 git checkout pr624 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-624.patch Type: text/x-diff Size: 4810 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 07:58:07 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 08:58:07 +0100 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ I'd rather create ```/etc/krb5.conf.d``` than to make the line conditional. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287695038 From freeipa-github-notification at redhat.com Mon Mar 20 08:05:14 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 09:05:14 +0100 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists HonzaCholasta commented: """ There is no reason to, the directory is not owned by us and we don't use it for anything anyway (see ticket triage for relevant discussion). """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287695915 From freeipa-github-notification at redhat.com Mon Mar 20 08:25:16 2017 From: freeipa-github-notification at redhat.com (puiterwijk) Date: Mon, 20 Mar 2017 09:25:16 +0100 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists puiterwijk commented: """ Would you be upgrading the krb5.conf after people upgrade krb5-libs to include the new includedir then? Since that's what would happen if you don't change the krb5.conf and people update to a krb5-libs that has the includedir. I've had to help a lot of people that ended up with configuration files lacking krb5.conf.d due to ipa-client setups (and other company configs, but at least that's limited to people working at companies giving broken krb5 configs). """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287698660 From freeipa-github-notification at redhat.com Mon Mar 20 08:32:25 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 09:32:25 +0100 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists HonzaCholasta commented: """ @puiterwijk, upgrade will be handled by krb5 itself, see https://bugzilla.redhat.com/show_bug.cgi?id=1431198. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287699765 From freeipa-github-notification at redhat.com Mon Mar 20 09:27:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 10:27:53 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache tiran commented: """ Size of a patch is a wrong metric. It's about code complexity. My patch reduces code complexity and logic complexity. It also fixes at least two bugs: multi-process concurrency bug and logging bug that prevents the code from working correctly. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287709913 From freeipa-github-notification at redhat.com Mon Mar 20 09:36:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 10:36:45 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 MartinBasti commented: """ Please merge commits into one and please use full description in commit message instead of ticket number. """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287711630 From freeipa-github-notification at redhat.com Mon Mar 20 10:47:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 11:47:56 +0100 Subject: [Freeipa-devel] [freeipa PR#266][closed] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Author: HonzaCholasta Title: #266: ipapython: simplify Env object initialization Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/266/head:pr266 git checkout pr266 From freeipa-github-notification at redhat.com Mon Mar 20 10:49:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 11:49:17 +0100 Subject: [Freeipa-devel] [freeipa PR#625][opened] [RFC] remote plugins: add option to force compat plugins Message-ID: URL: https://github.com/freeipa/freeipa/pull/625 Author: HonzaCholasta Title: #625: [RFC] remote plugins: add option to force compat plugins Action: opened PR body: """ Add a new `force_client_compat` env flag to force client API not to do any RPC calls to initialize remote plugins in `.finalize()` and use the newest compat plugins instead. Setting the flag serves as a workaround for `api.finalize()` requiring valid Kerberos credentials. https://pagure.io/freeipa/issue/6408 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/625/head:pr625 git checkout pr625 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-625.patch Type: text/x-diff Size: 4177 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 11:00:34 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 12:00:34 +0100 Subject: [Freeipa-devel] [freeipa PR#626][opened] Move helper code for integration plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: opened PR body: """ Helper code for ```ipatests.pytest_plugins.integration``` was in ```ipatests.test_integration```. This doesn't play nice with pytests auto-discovery of test cases. Certain aspects of pytest are not available right away. For example ```pytest.config``` is generated after configuration stage but before discovery stage. Now all helper code is next to the plugin in ```ipatests.pytest_plugins.integration``` (which is now a package). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/626/head:pr626 git checkout pr626 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-626.patch Type: text/x-diff Size: 184815 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 11:10:04 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 20 Mar 2017 12:10:04 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin pvoborni commented: """ From the PR description it is not clear what problem it solves or if it solves a problem. "doesn't play nice " is vague. " Certain aspects of pytest are not available right away. For example pytest.config is generated after configuration stage but before discovery stage." Is a description of reality, not a problem. In other word. Why is this needed? And I'm not implying it is not needed, just the PR comment doesn't explain it. """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-287730758 From freeipa-github-notification at redhat.com Mon Mar 20 11:12:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 12:12:02 +0100 Subject: [Freeipa-devel] [freeipa PR#266][+rejected] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization Label: +rejected From freeipa-github-notification at redhat.com Mon Mar 20 11:24:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 12:24:52 +0100 Subject: [Freeipa-devel] [freeipa PR#626][edited] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: edited Changed field: body Original value: """ Helper code for ```ipatests.pytest_plugins.integration``` was in ```ipatests.test_integration```. This doesn't play nice with pytests auto-discovery of test cases. Certain aspects of pytest are not available right away. For example ```pytest.config``` is generated after configuration stage but before discovery stage. Now all helper code is next to the plugin in ```ipatests.pytest_plugins.integration``` (which is now a package). """ From freeipa-github-notification at redhat.com Mon Mar 20 11:27:17 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 20 Mar 2017 12:27:17 +0100 Subject: [Freeipa-devel] [freeipa PR#627][opened] Add CI helper script invocation to Travis CI Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Author: martbab Title: #627: Add CI helper script invocation to Travis CI Action: opened PR body: """ This tests whether changes in ipatests do not break any of the helper scripts used for integration testing. The PR is rebased on https://github.com/freeipa/freeipa/pull/626 so it should produce green build with @cheimes's fixes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/627/head:pr627 git checkout pr627 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-627.patch Type: text/x-diff Size: 185671 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 11:33:27 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 12:33:27 +0100 Subject: [Freeipa-devel] [freeipa PR#624][comment] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive tomaskrizek commented: """ I examined this in wireshark. Without this patch, `ipa vault-add` would establish 7 TCP connections to apache, while it establishes only 3 with this patch. I wasn't able to track down where are the 2 rogue connections opened and why. The situation is similar for other commands. The question is whether this improvement is good enough or whether we want to optimize the RPC to actually use just a single connection. Also, please follow the development process next time and assign yourself to the ticket when you start working on it, so other don't have to invest time into solving the same issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/624#issuecomment-287735158 From freeipa-github-notification at redhat.com Mon Mar 20 11:34:20 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 20 Mar 2017 12:34:20 +0100 Subject: [Freeipa-devel] [freeipa PR#628][opened] WebUI: Remove offline version of WebUI Message-ID: URL: https://github.com/freeipa/freeipa/pull/628 Author: pvomacka Title: #628: WebUI: Remove offline version of WebUI Action: opened PR body: """ Remove all json files which were used for testing WebUI offline and are no more useful. Also removes all lines in other files/scripts which refer to the offline version of WebUI. https://pagure.io/freeipa/issue/6447 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/628/head:pr628 git checkout pr628 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-628.patch Type: text/x-diff Size: 2651715 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 11:35:39 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 20 Mar 2017 12:35:39 +0100 Subject: [Freeipa-devel] [freeipa PR#629][opened] adtrust: make sure that runtime hostname result is consistent with the configuration Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: opened PR body: """ FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust at EXAMPLE.COM [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-629.patch Type: text/x-diff Size: 3071 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 11:59:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 12:59:06 +0100 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ @tiran, you are right about the interface change, I was seeing things that are not there, I'm sorry. Please address inline comments (mainly the one about missing info in commit message, others are mostly nitpicks) and it's an ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-287739826 From freeipa-github-notification at redhat.com Mon Mar 20 12:00:13 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 20 Mar 2017 13:00:13 +0100 Subject: [Freeipa-devel] [freeipa PR#630][opened] ipapython.ipautil.nolog_replace: Do not replace empty value Message-ID: URL: https://github.com/freeipa/freeipa/pull/630 Author: dkupka Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Action: opened PR body: """ When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX' three (once for plain value, once for http quoted value and last time for shell quoted value) times before every character (including terminating '\0') in the string. https://pagure.io/freeipa/issue/6738 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/630/head:pr630 git checkout pr630 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-630.patch Type: text/x-diff Size: 1130 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 12:18:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 13:18:36 +0100 Subject: [Freeipa-devel] [freeipa PR#626][synchronized] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/626/head:pr626 git checkout pr626 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-626.patch Type: text/x-diff Size: 185496 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 12:24:25 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 20 Mar 2017 13:24:25 +0100 Subject: [Freeipa-devel] [freeipa PR#628][synchronized] WebUI: Remove offline version of WebUI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/628 Author: pvomacka Title: #628: WebUI: Remove offline version of WebUI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/628/head:pr628 git checkout pr628 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-628.patch Type: text/x-diff Size: 2652738 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 12:32:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 13:32:31 +0100 Subject: [Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins HonzaCholasta commented: """ @tiran, please review this, I'm not sure whether this kind of workaround is good enough or not. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-287746048 From freeipa-github-notification at redhat.com Mon Mar 20 12:39:10 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 13:39:10 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates HonzaCholasta commented: """ @martbab, can I see httpd error_log? Uninstall works fine for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-287747397 From freeipa-github-notification at redhat.com Mon Mar 20 12:39:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 13:39:40 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates HonzaCholasta commented: """ @martbab, and httpd journal as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-287747491 From freeipa-github-notification at redhat.com Mon Mar 20 12:57:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 13:57:15 +0100 Subject: [Freeipa-devel] [freeipa PR#616][edited] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: edited Changed field: body Original value: """ In-memory cache causes problem in forking servers. A file based cache is good enough. It's easier to understand and avoids performance regression and synchronization issues when cert becomes out-of-date. Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Mon Mar 20 13:41:19 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 20 Mar 2017 14:41:19 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py redhatrises commented: """ @abbra why not have it in both `ipa user-mod` and `ipa passwd`? """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287761849 From freeipa-github-notification at redhat.com Mon Mar 20 14:19:43 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 20 Mar 2017 15:19:43 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ Hm. `ipa user-mod` has --random and also supports specifying --password, so yes, both interfaces should be provided. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287772855 From freeipa-github-notification at redhat.com Mon Mar 20 14:30:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 15:30:04 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ I don't agree. There should be one and only one obvious way to do it. There is no real benefit in having this in multiple different places, it just adds unnecessary complexity. Let's not repeat mistakes of the past and put this solely into `passwd`. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287776107 From freeipa-github-notification at redhat.com Mon Mar 20 14:31:24 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 15:31:24 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ I don't agree. There should be one and only one obvious way to do it. There is no real benefit in having this in multiple different places, it just adds unnecessary complexity. Let's not repeat mistakes of the past and put this solely into `passwd`. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287776107 From freeipa-github-notification at redhat.com Mon Mar 20 14:42:40 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 15:42:40 +0100 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 7594 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 14:42:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 15:42:56 +0100 Subject: [Freeipa-devel] [freeipa PR#517][edited] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: edited Changed field: body Original value: """ * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. Signed-off-by: Christian Heimes PR depends on new custodia release. """ From freeipa-github-notification at redhat.com Mon Mar 20 14:46:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Mar 2017 15:46:02 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ Actually, maybe `user-mod` is a better place for the option, as it does LDAP modify operation, whereas `passwd` does LDAP password change extended operation. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287781294 From freeipa-github-notification at redhat.com Mon Mar 20 14:52:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 20 Mar 2017 15:52:23 +0100 Subject: [Freeipa-devel] [freeipa PR#627][synchronized] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Author: martbab Title: #627: Add CI helper script invocation to Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/627/head:pr627 git checkout pr627 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-627.patch Type: text/x-diff Size: 186352 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 15:37:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 16:37:24 +0100 Subject: [Freeipa-devel] [freeipa PR#624][comment] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive tomaskrizek commented: """ The extra connections seem to come from the internals of `httplib` library. If the hostname resolves to both IPv4 and IPv6 address, one connection is established to IPv4 and two to IPv6. I wasn't able to find the reason for this, but it doesn't seem to be related to our code. ``` connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("10.0.0.1")}, 16) = 0 connect(4, {sa_family=AF_INET6, sin6_port=htons(443), inet_pton(AF_INET6, "dead:beef::cafe", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0 connect(4, {sa_family=AF_INET6, sin6_port=htons(443), inet_pton(AF_INET6, "dead:beef::cafe", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/624#issuecomment-287798248 From freeipa-github-notification at redhat.com Mon Mar 20 15:42:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 16:42:33 +0100 Subject: [Freeipa-devel] [freeipa PR#624][+ack] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 15:47:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Mar 2017 16:47:13 +0100 Subject: [Freeipa-devel] [freeipa PR#624][comment] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive tiran commented: """ This behavior could be caused by https://github.com/python/cpython/blob/master/Lib/socket.py#L688 . What's ```socket.getaddrinfo(host, 443, 0, socket.SOCK_STREAM)``` for your host? """ See the full comment at https://github.com/freeipa/freeipa/pull/624#issuecomment-287801541 From freeipa-github-notification at redhat.com Mon Mar 20 15:53:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:53:40 +0100 Subject: [Freeipa-devel] [freeipa PR#606][+ack] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 15:53:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:53:43 +0100 Subject: [Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 MartinBasti commented: """ works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/606#issuecomment-287803795 From freeipa-github-notification at redhat.com Mon Mar 20 15:54:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:54:10 +0100 Subject: [Freeipa-devel] [freeipa PR#610][+ack] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 15:54:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:54:26 +0100 Subject: [Freeipa-devel] [freeipa PR#609][+ack] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Title: #609: [4.4] Fix cookie with Max-Age processing Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 15:55:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#612][+ack] [4.5] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/612 Title: #612: [4.5] Add debug log in case cookie retrieval went wrong Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 15:55:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 16:55:07 +0100 Subject: [Freeipa-devel] [freeipa PR#611][+ack] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/611 Title: #611: Add debug log in case cookie retrieval went wrong Label: +ack From freeipa-github-notification at redhat.com Mon Mar 20 16:04:58 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 20 Mar 2017 17:04:58 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py redhatrises commented: """ Okay, so since it will reside in one location, should it be `user-mod` (PR already uses `user-mod`) or `passwd`? """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287807607 From freeipa-github-notification at redhat.com Mon Mar 20 16:13:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 17:13:35 +0100 Subject: [Freeipa-devel] [freeipa PR#606][closed] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Author: tomaskrizek Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/606/head:pr606 git checkout pr606 From freeipa-github-notification at redhat.com Mon Mar 20 16:13:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 17:13:38 +0100 Subject: [Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 MartinBasti commented: """ ipa-4-4: * 95daecbae86f51271f5ea48cb628ace72e676351 ipa-kdb: support KDB DAL version 6.1 """ See the full comment at https://github.com/freeipa/freeipa/pull/606#issuecomment-287810103 From freeipa-github-notification at redhat.com Mon Mar 20 16:13:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Mar 2017 17:13:39 +0100 Subject: [Freeipa-devel] [freeipa PR#606][+pushed] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/606 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 16:38:28 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 17:38:28 +0100 Subject: [Freeipa-devel] [freeipa PR#624][comment] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive tomaskrizek commented: """ @tiran I checked that code as well, `getaddrinfo` returns both IPv6 and IPv4. That could explain two connections, but I'm not sure where the third one comes from. """ See the full comment at https://github.com/freeipa/freeipa/pull/624#issuecomment-287818799 From freeipa-github-notification at redhat.com Mon Mar 20 16:39:54 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 20 Mar 2017 17:39:54 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ Ok, let's go with `user-mod` as original request goes, based on the fact that we are not changing the password, we are changing its properties. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287819233 From freeipa-github-notification at redhat.com Mon Mar 20 17:07:43 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Mon, 20 Mar 2017 18:07:43 +0100 Subject: [Freeipa-devel] [freeipa PR#620][synchronized] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-620.patch Type: text/x-diff Size: 1292 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 20 17:12:26 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Mon, 20 Mar 2017 18:12:26 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 felipevolpone commented: """ @HonzaCholasta, @MartinBasti done :) Please, check if the commit message and the code comment are good enough. Thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287829954 From freeipa-github-notification at redhat.com Mon Mar 20 17:41:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 18:41:52 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 tomaskrizek commented: """ Please try to keep the commit message summary short and append the link to the ticket at the end. For example: ``` server install: require IPv6 stack to be enabled Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287839562 From freeipa-github-notification at redhat.com Mon Mar 20 17:46:15 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Mon, 20 Mar 2017 18:46:15 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 felipevolpone commented: """ What do you think about: ``` Fixing the replica install against IPA 3.0.0 master. Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. https://pagure.io/freeipa/issue/6549 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287840959 From freeipa-github-notification at redhat.com Mon Mar 20 17:56:01 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 18:56:01 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 tomaskrizek commented: """ Seems all right, but I'd go with a more informative summary to make it a bit more clear what's changed when looking through the log: ``` replica install: fix ldap connection in domlvl 0 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287844128 From freeipa-github-notification at redhat.com Mon Mar 20 18:11:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:11:06 +0100 Subject: [Freeipa-devel] [freeipa PR#609][+pushed] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Title: #609: [4.4] Fix cookie with Max-Age processing Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 18:11:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#609][closed] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 From freeipa-github-notification at redhat.com Mon Mar 20 18:11:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:11:14 +0100 Subject: [Freeipa-devel] [freeipa PR#609][comment] [4.4] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/609 Title: #609: [4.4] Fix cookie with Max-Age processing tomaskrizek commented: """ ipa-4-4: * 40f3b8f8a3d33864528138e517ce3240da6c9a4a Fix cookie with Max-Age processing * 5caade99127ff46141d2f6b7137f7aa62c0ff3bc Add debug log in case cookie retrieval went wrong """ See the full comment at https://github.com/freeipa/freeipa/pull/609#issuecomment-287848903 From freeipa-github-notification at redhat.com Mon Mar 20 18:12:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:12:30 +0100 Subject: [Freeipa-devel] [freeipa PR#610][+pushed] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 18:12:35 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:12:35 +0100 Subject: [Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing tomaskrizek commented: """ ipa-4-3: * 0d66046e501a4a1a09a0a74a96a499cb88ffb03b Fix cookie with Max-Age processing * 71475e3153117e554d22a2a27d7882ba4f890be8 Add debug log in case cookie retrieval went wrong """ See the full comment at https://github.com/freeipa/freeipa/pull/610#issuecomment-287849317 From freeipa-github-notification at redhat.com Mon Mar 20 18:12:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:12:39 +0100 Subject: [Freeipa-devel] [freeipa PR#610][closed] [4.3] Fix cookie with Max-Age processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/610 Author: stlaz Title: #610: [4.3] Fix cookie with Max-Age processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/610/head:pr610 git checkout pr610 From freeipa-github-notification at redhat.com Mon Mar 20 18:17:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:17:26 +0100 Subject: [Freeipa-devel] [freeipa PR#611][+pushed] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/611 Title: #611: Add debug log in case cookie retrieval went wrong Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 18:17:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:17:30 +0100 Subject: [Freeipa-devel] [freeipa PR#611][comment] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/611 Title: #611: Add debug log in case cookie retrieval went wrong tomaskrizek commented: """ ipa-4-5: * c59729d783993f60582f5cc6ca018545231df22b Add debug log in case cookie retrieval went wrong master: * 0bb858ea770e081817dc243579d08ad1f113e825 Add debug log in case cookie retrieval went wrong """ See the full comment at https://github.com/freeipa/freeipa/pull/611#issuecomment-287850914 From freeipa-github-notification at redhat.com Mon Mar 20 18:17:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:17:33 +0100 Subject: [Freeipa-devel] [freeipa PR#611][closed] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/611 Author: stlaz Title: #611: Add debug log in case cookie retrieval went wrong Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/611/head:pr611 git checkout pr611 From freeipa-github-notification at redhat.com Mon Mar 20 18:20:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:20:51 +0100 Subject: [Freeipa-devel] [freeipa PR#612][+pushed] [4.5] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/612 Title: #612: [4.5] Add debug log in case cookie retrieval went wrong Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 18:21:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:21:00 +0100 Subject: [Freeipa-devel] [freeipa PR#612][comment] [4.5] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/612 Title: #612: [4.5] Add debug log in case cookie retrieval went wrong tomaskrizek commented: """ ipa-4-5: * c59729d783993f60582f5cc6ca018545231df22b Add debug log in case cookie retrieval went wrong """ See the full comment at https://github.com/freeipa/freeipa/pull/612#issuecomment-287851970 From freeipa-github-notification at redhat.com Mon Mar 20 18:21:04 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:21:04 +0100 Subject: [Freeipa-devel] [freeipa PR#612][closed] [4.5] Add debug log in case cookie retrieval went wrong In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/612 Author: stlaz Title: #612: [4.5] Add debug log in case cookie retrieval went wrong Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/612/head:pr612 git checkout pr612 From freeipa-github-notification at redhat.com Mon Mar 20 18:25:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:25:58 +0100 Subject: [Freeipa-devel] [freeipa PR#624][+pushed] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 20 18:26:02 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:26:02 +0100 Subject: [Freeipa-devel] [freeipa PR#624][comment] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Title: #624: Use connection keep-alive tomaskrizek commented: """ master: * 7beb6d1cad7e2200208cb14be6c823a89abf0dc3 Use connection keep-alive * b2bdd2e1a912573ae4a3e8e5f40831a800d972f7 Add debug logging for keep-alive * 7f567286f6b89f3e981af02913e833d3e8ed5064 Increase Apache HTTPD's default keep alive timeout ipa-4-5: * 25cf4a2e76ff976fe15029f9da7e4e3555f203d4 Use connection keep-alive * f78439439c3c2ef6491fd5275de9d40b4b40a9b7 Add debug logging for keep-alive * 4b426fbfa2dc83f1f43abbc2b9396bd9f1b07f74 Increase Apache HTTPD's default keep alive timeout """ See the full comment at https://github.com/freeipa/freeipa/pull/624#issuecomment-287853534 From freeipa-github-notification at redhat.com Mon Mar 20 18:26:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Mar 2017 19:26:05 +0100 Subject: [Freeipa-devel] [freeipa PR#624][closed] Use connection keep-alive In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/624 Author: tiran Title: #624: Use connection keep-alive Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/624/head:pr624 git checkout pr624 From freeipa-github-notification at redhat.com Tue Mar 21 06:42:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 07:42:15 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 HonzaCholasta commented: """ @felipevolpone, the comment should explain *why* DM authentication has to be used. """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-287990430 From freeipa-github-notification at redhat.com Tue Mar 21 06:59:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 07:59:33 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ I have given this some thought over the night - maybe we should make the option more generic and allow the user to specify the expiration time rather than special case it for "now" time, i.e. `--password-expiration=2017-03-21T07:58:05Z` to expire the password at a specific time, `--password-expiration=now` to expire the password now, just like `--force-password-reset` does. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287992866 From freeipa-github-notification at redhat.com Tue Mar 21 08:41:22 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 21 Mar 2017 09:41:22 +0100 Subject: [Freeipa-devel] [freeipa PR#630][+ack] ipapython.ipautil.nolog_replace: Do not replace empty value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +ack From freeipa-github-notification at redhat.com Tue Mar 21 08:47:39 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 21 Mar 2017 09:47:39 +0100 Subject: [Freeipa-devel] [freeipa PR#630][+pushed] ipapython.ipautil.nolog_replace: Do not replace empty value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 21 08:47:42 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 21 Mar 2017 09:47:42 +0100 Subject: [Freeipa-devel] [freeipa PR#630][comment] ipapython.ipautil.nolog_replace: Do not replace empty value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value pvomacka commented: """ ipa-4-5: * 8f0c7df198f8dd6ae742b099b3258c2383007c30 ipapython.ipautil.nolog_replace: Do not replace empty value master: * 4297ad6db0d4f39d82fd155323163df92b2b7894 ipapython.ipautil.nolog_replace: Do not replace empty value ipa-4-4: * 40e1eb695d648a03f45e9c8d6687cb3d8a99fd6d ipapython.ipautil.nolog_replace: Do not replace empty value """ See the full comment at https://github.com/freeipa/freeipa/pull/630#issuecomment-288012307 From freeipa-github-notification at redhat.com Tue Mar 21 08:47:45 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 21 Mar 2017 09:47:45 +0100 Subject: [Freeipa-devel] [freeipa PR#630][closed] ipapython.ipautil.nolog_replace: Do not replace empty value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/630 Author: dkupka Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/630/head:pr630 git checkout pr630 From freeipa-github-notification at redhat.com Tue Mar 21 11:04:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:04:57 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching HonzaCholasta commented: """ @martbab, the ticket says 4.5.1, but this was not pushed to ipa-4-5. """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-288045552 From freeipa-github-notification at redhat.com Tue Mar 21 11:05:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:05:03 +0100 Subject: [Freeipa-devel] [freeipa PR#543][reopened] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From freeipa-github-notification at redhat.com Tue Mar 21 11:05:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:05:37 +0100 Subject: [Freeipa-devel] [freeipa PR#543][-pushed] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: -pushed From freeipa-github-notification at redhat.com Tue Mar 21 11:06:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:06:09 +0100 Subject: [Freeipa-devel] [freeipa PR#543][+pushed] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 21 11:06:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:06:13 +0100 Subject: [Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching HonzaCholasta commented: """ ipa-4-5: * 62d39385e20b3e1b059466f37cc063833355551e Add options to allow ticket caching """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-288045834 From freeipa-github-notification at redhat.com Tue Mar 21 11:06:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 12:06:15 +0100 Subject: [Freeipa-devel] [freeipa PR#543][closed] Add options to allow ticket caching In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From freeipa-github-notification at redhat.com Tue Mar 21 11:07:54 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 21 Mar 2017 12:07:54 +0100 Subject: [Freeipa-devel] [freeipa PR#628][comment] WebUI: Remove offline version of WebUI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/628 Title: #628: WebUI: Remove offline version of WebUI pvomacka commented: """ Self-NACK, build fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/628#issuecomment-288046245 From freeipa-github-notification at redhat.com Tue Mar 21 12:07:54 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 21 Mar 2017 13:07:54 +0100 Subject: [Freeipa-devel] [freeipa PR#620][synchronized] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-620.patch Type: text/x-diff Size: 1586 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 21 12:16:39 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 21 Mar 2017 13:16:39 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 felipevolpone commented: """ @HonzaCholasta @tomaskrizek please, check if it looks good to you. thank you for helping me guys :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-288060962 From freeipa-github-notification at redhat.com Tue Mar 21 12:30:08 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 21 Mar 2017 13:30:08 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py redhatrises commented: """ @HonzaCholasta that's an interesting idea. Most of the time, a password reset is forced immediately, but that does provide more flexibility. I assume that the datetime input should match the `2017-03-21T07:58:05Z` format? """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288063972 From freeipa-github-notification at redhat.com Tue Mar 21 14:46:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Mar 2017 15:46:12 +0100 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ @redhatrises, do not handle the format yourself, use the `DateTime` param type. Note that you will need to extend it to correctly interpret the "now" value. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288101283 From freeipa-github-notification at redhat.com Tue Mar 21 15:36:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:36:47 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ @HonzaCholasta I was not able to reproduce it any more so I guess that it was transient error. If I encounter it again I will file a separate ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288118393 From freeipa-github-notification at redhat.com Tue Mar 21 15:36:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:36:54 +0100 Subject: [Freeipa-devel] [freeipa PR#608][+ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: +ack From freeipa-github-notification at redhat.com Tue Mar 21 15:37:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Mar 2017 16:37:39 +0100 Subject: [Freeipa-devel] [freeipa PR#626][synchronized] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/626/head:pr626 git checkout pr626 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-626.patch Type: text/x-diff Size: 192261 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 21 15:38:29 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:38:29 +0100 Subject: [Freeipa-devel] [freeipa PR#608][+pushed] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 21 15:38:32 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:38:32 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ master: * 3de09709cc33f1d26f2d605bac82110fe73dde03 tasks: run `systemctl daemon-reload` after httpd.service.d updates ipa-4-5: * 62c41219acdd0e82201168aea5cb22879c655742 tasks: run `systemctl daemon-reload` after httpd.service.d updates """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288118924 From freeipa-github-notification at redhat.com Tue Mar 21 15:38:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:38:35 +0100 Subject: [Freeipa-devel] [freeipa PR#608][closed] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 From freeipa-github-notification at redhat.com Tue Mar 21 15:39:03 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 16:39:03 +0100 Subject: [Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ If you need the fix in ipa-4-4 you need to file a rebased PR against that branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288119146 From freeipa-github-notification at redhat.com Tue Mar 21 16:07:04 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Mar 2017 17:07:04 +0100 Subject: [Freeipa-devel] [freeipa PR#631][opened] Upgrade: configure PKINIT after adding anonymous principal Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: opened PR body: """ In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-631.patch Type: text/x-diff Size: 1142 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 21 16:43:38 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 21 Mar 2017 17:43:38 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin apophys commented: """ Thanks for the update """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288140640 From freeipa-github-notification at redhat.com Tue Mar 21 16:43:45 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 21 Mar 2017 17:43:45 +0100 Subject: [Freeipa-devel] [freeipa PR#626][+ack] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin Label: +ack From freeipa-github-notification at redhat.com Tue Mar 21 18:21:09 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 21 Mar 2017 19:21:09 +0100 Subject: [Freeipa-devel] [freeipa PR#632][opened] ipa-sam: create the gidNumber attribute in the trusted domain entry Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: opened PR body: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-632.patch Type: text/x-diff Size: 3279 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 04:21:14 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 22 Mar 2017 05:21:14 +0100 Subject: [Freeipa-devel] [freeipa PR#633][opened] Support 8192-bit RSA keys in default cert profile Message-ID: URL: https://github.com/freeipa/freeipa/pull/633 Author: frasertweedale Title: #633: Support 8192-bit RSA keys in default cert profile Action: opened PR body: """ Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/633/head:pr633 git checkout pr633 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-633.patch Type: text/x-diff Size: 1353 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 07:24:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Mar 2017 08:24:58 +0100 Subject: [Freeipa-devel] [freeipa PR#634][opened] cert: do not limit internal searches in cert-find Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Author: HonzaCholasta Title: #634: cert: do not limit internal searches in cert-find Action: opened PR body: """ Instead, apply the limits on the combined result. This fixes (absence of) `--sizelimit` leading to strange behavior, such as `cert-find --users user` returning a non-empty result only with `--sizelimit 0`. https://pagure.io/freeipa/issue/6716 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/634/head:pr634 git checkout pr634 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-634.patch Type: text/x-diff Size: 3442 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 07:59:39 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 22 Mar 2017 08:59:39 +0100 Subject: [Freeipa-devel] [freeipa PR#635][opened] man ipa-cacert-manage install needs clarification Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Author: flo-renaud Title: #635: man ipa-cacert-manage install needs clarification Action: opened PR body: """ The customers are often confused by ipa-cacert-manage install. The man page should make it clear that IPA CA is not modified in any way by this command. https://pagure.io/freeipa/issue/6795 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/635/head:pr635 git checkout pr635 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-635.patch Type: text/x-diff Size: 1502 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 08:42:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 09:42:36 +0100 Subject: [Freeipa-devel] [freeipa PR#635][comment] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification tomaskrizek commented: """ I think the message would be a bit easier to read if the added part would be in a separate paragraph. Could you update it, please? """ See the full comment at https://github.com/freeipa/freeipa/pull/635#issuecomment-288332977 From freeipa-github-notification at redhat.com Wed Mar 22 08:57:04 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 22 Mar 2017 09:57:04 +0100 Subject: [Freeipa-devel] [freeipa PR#635][synchronized] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Author: flo-renaud Title: #635: man ipa-cacert-manage install needs clarification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/635/head:pr635 git checkout pr635 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-635.patch Type: text/x-diff Size: 1361 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 08:58:11 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 22 Mar 2017 09:58:11 +0100 Subject: [Freeipa-devel] [freeipa PR#635][comment] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification flo-renaud commented: """ Hi @tomaskrizek thank you for the suggestion. PR updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/635#issuecomment-288336324 From freeipa-github-notification at redhat.com Wed Mar 22 09:00:48 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 10:00:48 +0100 Subject: [Freeipa-devel] [freeipa PR#635][+ack] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 09:11:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 10:11:36 +0100 Subject: [Freeipa-devel] [freeipa PR#517][edited] [WIP] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: edited Changed field: title Original value: """ [WIP] Use Custodia 0.3 features """ From freeipa-github-notification at redhat.com Wed Mar 22 09:15:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 10:15:05 +0100 Subject: [Freeipa-devel] [freeipa PR#635][+pushed] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 09:15:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 10:15:12 +0100 Subject: [Freeipa-devel] [freeipa PR#635][comment] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Title: #635: man ipa-cacert-manage install needs clarification tomaskrizek commented: """ master: * 3ea2834b76a72c97186b01487e885800754c0fbc man ipa-cacert-manage install needs clarification ipa-4-5: * bb53a9ab6dce023dd51c2a434fd8597eab5bc0d0 man ipa-cacert-manage install needs clarification """ See the full comment at https://github.com/freeipa/freeipa/pull/635#issuecomment-288340038 From freeipa-github-notification at redhat.com Wed Mar 22 09:15:15 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 10:15:15 +0100 Subject: [Freeipa-devel] [freeipa PR#635][closed] man ipa-cacert-manage install needs clarification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/635 Author: flo-renaud Title: #635: man ipa-cacert-manage install needs clarification Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/635/head:pr635 git checkout pr635 From freeipa-github-notification at redhat.com Wed Mar 22 09:25:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 10:25:56 +0100 Subject: [Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find stlaz commented: """ The tests obviously fail as they expect the `cert-find` command to respect the `sizelimit` option. """ See the full comment at https://github.com/freeipa/freeipa/pull/634#issuecomment-288342471 From freeipa-github-notification at redhat.com Wed Mar 22 09:26:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 10:26:43 +0100 Subject: [Freeipa-devel] [freeipa PR#627][comment] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI tomaskrizek commented: """ Could you please re-rebase this on top of #626 to check if everything works as expected? """ See the full comment at https://github.com/freeipa/freeipa/pull/627#issuecomment-288342674 From freeipa-github-notification at redhat.com Wed Mar 22 09:34:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Mar 2017 10:34:33 +0100 Subject: [Freeipa-devel] [freeipa PR#634][synchronized] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Author: HonzaCholasta Title: #634: cert: do not limit internal searches in cert-find Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/634/head:pr634 git checkout pr634 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-634.patch Type: text/x-diff Size: 3945 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 09:34:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Mar 2017 10:34:44 +0100 Subject: [Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find HonzaCholasta commented: """ The fix was incomplete, it should be OK now. """ See the full comment at https://github.com/freeipa/freeipa/pull/634#issuecomment-288344593 From freeipa-github-notification at redhat.com Wed Mar 22 10:15:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:15:32 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin tiran commented: """ @apophys Please create a ticket for the issue. This PR should not get merged until the issue is properly documented in a ticket and commit messages have been updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288354291 From freeipa-github-notification at redhat.com Wed Mar 22 10:17:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:17:17 +0100 Subject: [Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility tiran commented: """ @martbab @MartinBasti Do you agree with the workaround or do you want to suggest a different approach? """ See the full comment at https://github.com/freeipa/freeipa/pull/619#issuecomment-288354736 From freeipa-github-notification at redhat.com Wed Mar 22 10:19:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:19:20 +0100 Subject: [Freeipa-devel] [freeipa PR#616][+rejected] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +rejected From freeipa-github-notification at redhat.com Wed Mar 22 10:19:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:19:23 +0100 Subject: [Freeipa-devel] [freeipa PR#616][closed] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 From freeipa-github-notification at redhat.com Wed Mar 22 10:21:34 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Wed, 22 Mar 2017 11:21:34 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin apophys commented: """ will do """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288355769 From freeipa-github-notification at redhat.com Wed Mar 22 10:23:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:23:37 +0100 Subject: [Freeipa-devel] [freeipa PR#613][comment] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Title: #613: Constrain wheel package versions tiran commented: """ @MartinBasti please finish the review. The issue makes my daily work harder and more complicated. """ See the full comment at https://github.com/freeipa/freeipa/pull/613#issuecomment-288356276 From freeipa-github-notification at redhat.com Wed Mar 22 10:26:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:26:17 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features tiran commented: """ PR is blocked because custodia 0.3 is not yet in https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/packages/ Please add the package fro Koji builds https://github.com/freeipa/freeipa/pull/517#issuecomment-287313565 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288356890 From freeipa-github-notification at redhat.com Wed Mar 22 10:29:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:29:59 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ PR is blocked by #613 """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-288357734 From freeipa-github-notification at redhat.com Wed Mar 22 10:38:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:38:49 +0100 Subject: [Freeipa-devel] [freeipa PR#626][synchronized] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/626/head:pr626 git checkout pr626 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-626.patch Type: text/x-diff Size: 193335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 10:39:05 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:39:05 +0100 Subject: [Freeipa-devel] [freeipa PR#626][edited] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: edited Changed field: body Original value: """ fd1b4f6ec9a349196d5df510008c4745f0b1fb84 broke integration tests because the integration helper imports code from ``ipatests.test_integration```. ``` Traceback (most recent call last): File "/usr/bin/ipa-test-config", line 30, in from ipatests.test_integration import config, env_config File "/usr/lib/python2.7/site-packages/ipatests/test_integration/__init__.py", line 22, in if pytest.config.getoption('ipaclient_unittests', False): AttributeError: 'module' object has no attribute 'config' ``` Helper code for ```ipatests.pytest_plugins.integration``` was in ```ipatests.test_integration```. This doesn't play nice with pytests auto-discovery of test cases. Certain aspects of pytest are not available right away. For example ```pytest.config``` is generated after configuration stage but before discovery stage. Now all helper code is next to the plugin in ```ipatests.pytest_plugins.integration``` (which is now a package). """ From freeipa-github-notification at redhat.com Wed Mar 22 10:39:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:39:24 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin tiran commented: """ @apophys has created ticket https://pagure.io/freeipa/issue/6798 and I have updated all commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288359861 From freeipa-github-notification at redhat.com Wed Mar 22 10:51:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 11:51:30 +0100 Subject: [Freeipa-devel] [freeipa PR#636][opened] [Py3] Fix ipatests.util doc tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/636 Author: tiran Title: #636: [Py3] Fix ipatests.util doc tests Action: opened PR body: """ Doctests of ipatests.util fail under Python 3. The old test scenario does no longer work on Python 3 since u'how are you' and 'how are you' have identical type, but u'how are you' != b'how are you'. It works with int / float on all Python versions. Python 2 has while Python 3 uses . Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/636/head:pr636 git checkout pr636 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-636.patch Type: text/x-diff Size: 3032 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 11:04:42 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 12:04:42 +0100 Subject: [Freeipa-devel] [freeipa PR#637][opened] ldap2: use LDAP whoami operation to retrieve bind DN for current connection Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: opened PR body: """ For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-637.patch Type: text/x-diff Size: 1587 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 11:26:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 12:26:57 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features MartinBasti commented: """ No this PR si not blocker by this but by this. I manually tried this patch and replica installation failed. ``` File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 203, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 244, in install_step_0 replica_config.dirman_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 182, in get_ca_keys self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 146, in __get_keys value = cli.fetch_key(os.path.join(prefix, nickname), False) File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 101, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status raise HTTPError(http_error_msg, response=self) 2017-03-22T09:41:44Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca for url: https://vm-126.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.OxngT9UkpcI1epgfUY4ptfAcgNqcWkolwjxt48l7mYvvvDbejfdPY5IAulLyqXE_vc4ifCmqAJ2je9t2IC-gJXq9csZ60q4_sBhhw-NVp_2GZOasPYnF_LDoLEUx9iKihMiBRXTMS4Ue4wzx41tgSViCpuO7eUT5XKRaYtwOXd5qi46Z6S8XgQJSTeW3WQjRGNqSzYMOeHQNPMz24gSx9ENJ4Mx2x4LxY5cod3HGjocgp9s4qnJLYL3bhEXRL9x_t8RG6B06_FXY044DNsR5YBlHa7J5ks2ldiR7TCBN2te5iv_ePKYdpmMlHqeT1NNjGKMnei-TTtYE8dsJM4Q9gA.eDq3i2fgbry5AabVyJHVeg.Uf9wBxxQSloach8Pcbdi2BMzeHB9bY4tFRvifH3_-omv87g0jDCMEK8Tv56E9psnp1BEhcslPcIQC2k8YTUiMv_SgA-uj3Agb1RhZn1JV9IlZzPRfUELCj0jj-rVsC7UeQjkYRjYhxnCrlYpiLeAEfPnHlSMqCHH2PWJEzxGH8bCrIBkwrvQ8A2an0tP37HTi4fyJJbHaBZD4YWSG5iD7RjzkL8a89edyiZNNO7xbgX2CxvvgIhJ0vxYWPn6SSLJpOJaVF_Wt5cRMfXccPKdB5VUXPefEUbOjf4A5xdGZiCSWY8jCU8Rb246SdWlxKipEVcRua0zKNcC51IHxAIZY-Jxp9yTqQm8OvNNqsV1cG_TSovsH9MES7AEMYTDNxRr-QluR6Nvjc7VqN_nG9e4l8f7B7ut_sG-BQWJcbWm0GApISE9c9FzjtNmJAO5eZpGehLuOIHPornnyye2ulc_5XeRxr9QtpAHE9buluRAP_bBPXwB2IpDyP2gnOQhyI64ulu1_QRjq_XKoSCBOFe94XMt7JpoQe_NcvsR-rlaZLC4aQaUaycT-a_n6ly-Uwoh2jSHJ2lzLSZ2pbdqkCws_LEevY2Ola67VvQjWNcS7udQlDNhDZPso8_Abf8Jlm54iNMTiKKClRrM6kFITslzXpqpJ_NBe6q6gUp2JY-qkny1y0xwF4Q7kjXvSJdjGXSYrpR3eT9GZfdFIIHy_GUa8Sbt0tYddobEaqdGHo1rO90.GovMfUQdvTRXvrae4vbQDBApw37BgjXM9fimKMmkfQA ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288370660 From freeipa-github-notification at redhat.com Wed Mar 22 11:28:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 12:28:24 +0100 Subject: [Freeipa-devel] [freeipa PR#633][+ack] Support 8192-bit RSA keys in default cert profile In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/633 Title: #633: Support 8192-bit RSA keys in default cert profile Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 11:30:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 12:30:14 +0100 Subject: [Freeipa-devel] [freeipa PR#633][comment] Support 8192-bit RSA keys in default cert profile In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/633 Title: #633: Support 8192-bit RSA keys in default cert profile tomaskrizek commented: """ master: * 1530758475c2e21dd732581ff6816e03ca74dede Support 8192-bit RSA keys in default cert profile ipa-4-5: * 9118c08455d42f4e7f43370be1a858595a60bc9a Support 8192-bit RSA keys in default cert profile """ See the full comment at https://github.com/freeipa/freeipa/pull/633#issuecomment-288371382 From freeipa-github-notification at redhat.com Wed Mar 22 11:30:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 12:30:17 +0100 Subject: [Freeipa-devel] [freeipa PR#633][+pushed] Support 8192-bit RSA keys in default cert profile In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/633 Title: #633: Support 8192-bit RSA keys in default cert profile Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 11:30:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 12:30:20 +0100 Subject: [Freeipa-devel] [freeipa PR#633][closed] Support 8192-bit RSA keys in default cert profile In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/633 Author: frasertweedale Title: #633: Support 8192-bit RSA keys in default cert profile Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/633/head:pr633 git checkout pr633 From freeipa-github-notification at redhat.com Wed Mar 22 11:35:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 12:35:25 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features tiran commented: """ @MartinBasti How did you get Custodia into the test envs when it is not available in COPR or Fedora repos? """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372454 From freeipa-github-notification at redhat.com Wed Mar 22 11:37:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 12:37:41 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features MartinBasti commented: """ @tiran I manually installed custodia on my VM from koji. Travis doesn't run replica install tests what is the primary use case for custodia in FreeIPA, so travis result has no weight for this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372915 From freeipa-github-notification at redhat.com Wed Mar 22 11:37:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 12:37:54 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features tiran commented: """ Please custodia logs (```journalctl -u ipa-custodia``` and ```/var/log/ipa-custodia.audit.log```) from the server. """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372963 From freeipa-github-notification at redhat.com Wed Mar 22 11:39:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 12:39:36 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features MartinBasti commented: """ ``` [root at vm-058-017 ~]# journalctl -u ipa-custodia -- Logs begin at Wed 2017-03-15 15:56:23 CET, end at Wed 2017-03-22 12:35:17 CET. -- Mar 15 16:20:58 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service. Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service... Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service. Mar 22 10:41:43 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service... Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com ipa-custodia[49493]: 2017-03-22 10:41:44 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service. lines 1-7/7 (END) ``` Audit file is empty """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288373312 From freeipa-github-notification at redhat.com Wed Mar 22 11:40:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 12:40:12 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features MartinBasti commented: """ custodia-0.3.0-3.fc25.noarch """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288373442 From freeipa-github-notification at redhat.com Wed Mar 22 11:42:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 12:42:23 +0100 Subject: [Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection martbab commented: """ LGTM but lint has some complains probably related to my in-line comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288373921 From freeipa-github-notification at redhat.com Wed Mar 22 11:50:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 12:50:33 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features MartinBasti commented: """ Replica logs^ Master logs: ``` Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service... Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service. Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service... Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:18:10 - server - Serving on Unix socket /ru Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service. Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple] - PASS: '83694' authenticate Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header] - PASS: '83694' authenticate Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys] - PASS: '83694' authorized f Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - Secrets-[/keys] - DENIED: '(null)' requested Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - server - code 406, message Key name Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 127.0.0.1 - - [22/Mar/2017 10:41:44] "GET /keys/ca/caSigningCert%20cert-pki-ca?type ~ ``` audit.log ``` 2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple] - PASS: '83694' authenticated as '48, 48' 2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header] - PASS: '83694' authenticated as '(null)' 2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys] - PASS: '83694' authorized for '/keys' 2017-03-22 10:41:44 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert%20cert-pki-ca' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288375592 From freeipa-github-notification at redhat.com Wed Mar 22 11:50:46 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 22 Mar 2017 12:50:46 +0100 Subject: [Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection pvomacka commented: """ Hi @abbra, thank you for patch, works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288375637 From freeipa-github-notification at redhat.com Wed Mar 22 11:51:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 12:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#627][synchronized] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Author: martbab Title: #627: Add CI helper script invocation to Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/627/head:pr627 git checkout pr627 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-627.patch Type: text/x-diff Size: 194191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 12:22:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 13:22:54 +0100 Subject: [Freeipa-devel] [freeipa PR#602][comment] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/602#issuecomment-288382385 From freeipa-github-notification at redhat.com Wed Mar 22 12:23:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 13:23:26 +0100 Subject: [Freeipa-devel] [freeipa PR#602][+ack] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 12:35:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 13:35:56 +0100 Subject: [Freeipa-devel] [freeipa PR#627][comment] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI martbab commented: """ @tomaskrizek I guess Green Travis means we can merge #626 and I can then remove those commits from this PR right? """ See the full comment at https://github.com/freeipa/freeipa/pull/627#issuecomment-288385253 From freeipa-github-notification at redhat.com Wed Mar 22 12:39:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 13:39:47 +0100 Subject: [Freeipa-devel] [freeipa PR#602][comment] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in martbab commented: """ master: * 44a3e0fe1d168ad87182654976a26e352287b1e0 configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in ipa-4-5: * 57d8a722e3e2fb8ceae8270e1c453901cedd8745 configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in """ See the full comment at https://github.com/freeipa/freeipa/pull/602#issuecomment-288386072 From freeipa-github-notification at redhat.com Wed Mar 22 12:39:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 13:39:50 +0100 Subject: [Freeipa-devel] [freeipa PR#602][+pushed] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 12:39:53 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 13:39:53 +0100 Subject: [Freeipa-devel] [freeipa PR#602][closed] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/602 Author: tjaalton Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/602/head:pr602 git checkout pr602 From freeipa-github-notification at redhat.com Wed Mar 22 12:42:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 13:42:52 +0100 Subject: [Freeipa-devel] [freeipa PR#626][+pushed] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 12:42:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 13:42:55 +0100 Subject: [Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin tomaskrizek commented: """ master: * dde71ec4a9669a155456a8e8912ed3a0503b8704 Move helper code for integration plugin * 2895e3931d0b4a9e20e1b211ef5a76f79fc73c9d Move config module to ipatests.pytest_plugins.integration.config * 1406dbc8c223ac0894088146bfe2a8ef0688097a Move env_config module to ipatests.pytest_plugins.integration.env_config * 313ae46b573b4cac1075dc1b5bd7294424fabfdb Move tasks module to ipatests.pytest_plugins.integration.tasks * 8867412adc0ffd0cacf555a5c3693e04074fed5b Move hosts module to ipatests.pytest_plugins.integration.hosts * 8aadd55c93a627e88e007d2df864a5fb72fba0a2 Move function run_repeatedly to tasks module * 5587a37e2345de4e76813e00f4b2751d24c618fc Ship ipatests.pytest_plugins.integration * 24161a619049e0fb3b954592f64ee6d561320d2c Move remaining util functions to tasks module ipa-4-5: * 1199416d4e2dd1a653a7c1255e446970412fe1d6 Move helper code for integration plugin * 025a19c3bf2b446de5c9430142e75eac5887fb04 Move config module to ipatests.pytest_plugins.integration.config * e257bbd805b319ed85e5bf8ce6eeac80e7c4139c Move env_config module to ipatests.pytest_plugins.integration.env_config * 321437cc72b38bc055c74f0a4bdf54520afb57aa Move tasks module to ipatests.pytest_plugins.integration.tasks * 6789dac7a09706036dd13555b4ff2ce244551bc6 Move hosts module to ipatests.pytest_plugins.integration.hosts * 4c62c4138c443f78757bd519fad143729af27e53 Move function run_repeatedly to tasks module * 87b60f3cfb5e43fa0c37a09051872b496ad72829 Ship ipatests.pytest_plugins.integration * cd791843da478625f51e98c502b65e186373a9fa Move remaining util functions to tasks module """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288386760 From freeipa-github-notification at redhat.com Wed Mar 22 12:42:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 13:42:58 +0100 Subject: [Freeipa-devel] [freeipa PR#626][closed] Move helper code for integration plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/626 Author: tiran Title: #626: Move helper code for integration plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/626/head:pr626 git checkout pr626 From freeipa-github-notification at redhat.com Wed Mar 22 12:45:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 13:45:39 +0100 Subject: [Freeipa-devel] [freeipa PR#627][comment] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI tomaskrizek commented: """ @martbab Exactly, please remove the extra commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/627#issuecomment-288387364 From freeipa-github-notification at redhat.com Wed Mar 22 12:49:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 13:49:57 +0100 Subject: [Freeipa-devel] [freeipa PR#620][edited] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection Action: edited Changed field: title Original value: """ [WIP] Fixing 6549 """ From freeipa-github-notification at redhat.com Wed Mar 22 12:50:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 13:50:05 +0100 Subject: [Freeipa-devel] [freeipa PR#617][synchronized] Allow renaming of sudo rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo rules Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-617.patch Type: text/x-diff Size: 5360 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 12:50:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 13:50:24 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection MartinBasti commented: """ I updated title to more descriptive one and I'm going to test it """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-288388416 From freeipa-github-notification at redhat.com Wed Mar 22 12:54:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 13:54:50 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo rules stlaz commented: """ Thank you Alexander for your insight. Since this was a hack, I did not want to do it server-wise. I chose a different approach to the problem and reworked the original idea so the rename option is now worked with on server. With this approach, we are able to white-list objects which we think may be allowed renaming even though their primary keys are not in their RDN. Just for the record, the names of sudo rules are still not checked for CN compatibility since their primary key is not part of their DN, but that's how things have been since for ever, I am afraid (you can try `ipa sudorule-add bad,cn=rule`). """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-288389417 From freeipa-github-notification at redhat.com Wed Mar 22 12:55:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 13:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#627][synchronized] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Author: martbab Title: #627: Add CI helper script invocation to Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/627/head:pr627 git checkout pr627 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-627.patch Type: text/x-diff Size: 851 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 12:55:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 13:55:35 +0100 Subject: [Freeipa-devel] [freeipa PR#617][edited] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: edited Changed field: title Original value: """ Allow renaming of sudo rules """ From freeipa-github-notification at redhat.com Wed Mar 22 13:17:03 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 14:17:03 +0100 Subject: [Freeipa-devel] [freeipa PR#627][+ack] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 13:19:41 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 14:19:41 +0100 Subject: [Freeipa-devel] [freeipa PR#627][+pushed] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 13:19:45 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 14:19:45 +0100 Subject: [Freeipa-devel] [freeipa PR#627][comment] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Title: #627: Add CI helper script invocation to Travis CI tomaskrizek commented: """ master: * b6624594bedce75849248469305ae964ce5ea2ef Travis CI: invoke integration test helper scripts before test execution """ See the full comment at https://github.com/freeipa/freeipa/pull/627#issuecomment-288395389 From freeipa-github-notification at redhat.com Wed Mar 22 13:19:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 14:19:46 +0100 Subject: [Freeipa-devel] [freeipa PR#627][closed] Add CI helper script invocation to Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/627 Author: martbab Title: #627: Add CI helper script invocation to Travis CI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/627/head:pr627 git checkout pr627 From freeipa-github-notification at redhat.com Wed Mar 22 13:45:35 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 14:45:35 +0100 Subject: [Freeipa-devel] [freeipa PR#638][opened] ipalib/rpc.py: Fix session handling for KEYRING: ccaches Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: opened PR body: """ MIT Kerberos allows to store configuration entries in the ccache. Unfortunately, there are big differences between ccache types in how these entries behave: - MIT Kerberos FILE: ccache code does always append entries, so we end up with ever growing ccache files. In KEYRING: case we are lucky that add_key syscall actually updates the key with the same name. - MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove cred from ccache. Corresponding functions simply return KRB5_CC_NOSUPP; As result, using FILE: ccache type does not allow us to override our session cookie stored as a config entry in the ccache. Successive runs of ipa CLI create new entries in the ccache and only return the original one. Once we put a cookie in the FILE: ccache, it cannot be removed from there and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf() ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred principal name constructed out of a our conf key (X-IPA-Session_Cookie), none of the matching logic for "most recent ticket" could be applied. This commit attempts to improve situation for KEYRING: ccache type by setting the cookie to a predefined 'empty' value when deleting config entry. This avoids non-working 'remove cred' code path in ccache processing in MIT Kerberos. Additionally, when server side denies our cookie, it sends us empty Negotiate value. We errorneously treat it as invalid token. We also must use proper method to initialize our connection, SSLTransport.make_connection knows nothing about setting up GSSAPI client context, KrbTransport does. Unfortunately, with non-removable session cookie the code to initialize session context never triggered properly after expire. Fixes https://pagure.io/freeipa/issue/6775 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/638/head:pr638 git checkout pr638 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-638.patch Type: text/x-diff Size: 5019 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 13:45:51 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 14:45:51 +0100 Subject: [Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Note: this is WIP, please test it against KEYRING: ccaches. """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288402486 From abokovoy at redhat.com Wed Mar 22 13:47:17 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Mar 2017 15:47:17 +0200 Subject: [Freeipa-devel] Issues with session caching in Kerberos ccaches Message-ID: <20170322134717.qdgn7c4c5n3bqgmm@redhat.com> Hi, we have a number of issues with session caching in Kerberos ccaches: - MIT Kerberos FILE: ccache code does always append entries, so we end up with ever growing ccache files. In KEYRING: case we are lucky that add_key syscall actually updates the key with the same name. - MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove cred from ccache. Corresponding functions simply return KRB5_CC_NOSUPP; As result, using FILE: ccache type does not allow us to override our session cookie stored as a config entry in the ccache. Successive runs of ipa CLI create new entries in the ccache: # strings /tmp/root.cc|grep -A3 krb5_ccache_conf_data krb5_ccache_conf_data fast_avail krbtgt/XS.IPA.COOL at XS.IPA.COOL XS.IPA.COOL -- krb5_ccache_conf_data pa_type krbtgt/XS.IPA.COOL at XS.IPA.COOL XS.IPA.COOL -- krb5_ccache_conf_data X-IPA-Session-Cookie admin at XS.IPA.COOL Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188185818841; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:09:45 GMT; Secure; HttpOnly -- krb5_ccache_conf_data X-IPA-Session-Cookie admin at XS.IPA.COOL Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188233395149; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:10:33 GMT; Secure; HttpOnly -- krb5_ccache_conf_data X-IPA-Session-Cookie admin at XS.IPA.COOL Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188672108356; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:17:52 GMT; Secure; HttpOnly The output above is after three successive runs. Once we put cookie in the FILE: ccache, it cannot be removed from there and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf() ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred principal name constructed out of a our conf key (X-IPA-Session_Cookie), none of the matching logic for "most recent ticket" could be applied. I have a workaround as https://github.com/freeipa/freeipa/pull/638 that allows to recover in a case we are using KEYRING: ccache type and server denies to accept our cookie -- happens within about 10-15 minutes after last time cookie was used -- but I have no solution for FILE: ccaches. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 22 13:52:00 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 14:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#637][synchronized] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-637.patch Type: text/x-diff Size: 1459 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 13:52:41 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 14:52:41 +0100 Subject: [Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection abbra commented: """ Removed try: finally: block, I agree that it is better to propagate error up the stack. """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288404454 From freeipa-github-notification at redhat.com Wed Mar 22 13:57:20 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 14:57:20 +0100 Subject: [Freeipa-devel] [freeipa PR#615][+ack] httpinstance: clean up /etc/httpd/alias on uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 13:58:39 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 22 Mar 2017 14:58:39 +0100 Subject: [Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ One way to deal with this in the FILE case is to copy the ccache to a tmp file and then rename to the original one. There is a risk of racing and removing a new ticket, but it is low. Luckily this problem should be solved once we have KCM caches ... """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288406237 From freeipa-github-notification at redhat.com Wed Mar 22 13:59:43 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 14:59:43 +0100 Subject: [Freeipa-devel] [freeipa PR#615][+pushed] httpinstance: clean up /etc/httpd/alias on uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 13:59:46 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 14:59:46 +0100 Subject: [Freeipa-devel] [freeipa PR#615][closed] httpinstance: clean up /etc/httpd/alias on uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/615 Author: HonzaCholasta Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/615/head:pr615 git checkout pr615 From freeipa-github-notification at redhat.com Wed Mar 22 13:59:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 14:59:47 +0100 Subject: [Freeipa-devel] [freeipa PR#615][comment] httpinstance: clean up /etc/httpd/alias on uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall martbab commented: """ ipa-4-5: * cf188c8513c6b36a0724866025ddc220683de8dc certs: do not implicitly create DS pin.txt * f788e3e36bcaefc7d94c92895916246681e64291 httpinstance: clean up /etc/httpd/alias on uninstall master: * bbd18cf10f2e67e5205a3a3bee883272e89c0042 certs: do not implicitly create DS pin.txt * e263cb46cba604421d5ed2e1dbf5dd1d66ce0221 httpinstance: clean up /etc/httpd/alias on uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/615#issuecomment-288406554 From freeipa-github-notification at redhat.com Wed Mar 22 14:06:51 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 15:06:51 +0100 Subject: [Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Yes, KCM will work. However, I wonder if we could use a different approach by storing cookie in a fake ticket with a proper lifetime set to the cookie expiration. This would still get multiple entries added for FILE: case but at least will allow us to return most recent one. """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288408872 From freeipa-github-notification at redhat.com Wed Mar 22 14:09:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:09:52 +0100 Subject: [Freeipa-devel] [freeipa PR#613][comment] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Title: #613: Constrain wheel package versions MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/613#issuecomment-288409858 From freeipa-github-notification at redhat.com Wed Mar 22 14:09:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:09:58 +0100 Subject: [Freeipa-devel] [freeipa PR#613][+ack] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Title: #613: Constrain wheel package versions Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 14:14:41 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 22 Mar 2017 15:14:41 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules abbra commented: """ I like the idea but please address @HonzaCholasta comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-288411495 From freeipa-github-notification at redhat.com Wed Mar 22 14:16:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:16:32 +0100 Subject: [Freeipa-devel] [freeipa PR#614][+ack] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 14:17:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:17:24 +0100 Subject: [Freeipa-devel] [freeipa PR#613][+pushed] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Title: #613: Constrain wheel package versions Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 14:17:27 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:17:27 +0100 Subject: [Freeipa-devel] [freeipa PR#613][comment] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Title: #613: Constrain wheel package versions tomaskrizek commented: """ master: * fe17d187f9f2cbac28fe369cbcdd697d85105481 Constrain wheel package versions ipa-4-5: * 7c93a518c8b6fb0e3a85bc1ae0ee807c71168213 Constrain wheel package versions """ See the full comment at https://github.com/freeipa/freeipa/pull/613#issuecomment-288412305 From freeipa-github-notification at redhat.com Wed Mar 22 14:17:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:17:30 +0100 Subject: [Freeipa-devel] [freeipa PR#613][closed] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/613 Author: tiran Title: #613: Constrain wheel package versions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/613/head:pr613 git checkout pr613 From freeipa-github-notification at redhat.com Wed Mar 22 14:25:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:25:43 +0100 Subject: [Freeipa-devel] [freeipa PR#614][comment] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions tomaskrizek commented: """ ipatool supports pushing to multiple branches, so there's no need to open multiple PRs if the commits are exactly the same and don't have to be rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/614#issuecomment-288415017 From freeipa-github-notification at redhat.com Wed Mar 22 14:25:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:25:49 +0100 Subject: [Freeipa-devel] [freeipa PR#614][comment] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions tomaskrizek commented: """ ipa-4-5: * 7c93a518c8b6fb0e3a85bc1ae0ee807c71168213 Constrain wheel package versions """ See the full comment at https://github.com/freeipa/freeipa/pull/614#issuecomment-288415049 From freeipa-github-notification at redhat.com Wed Mar 22 14:25:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:25:56 +0100 Subject: [Freeipa-devel] [freeipa PR#614][+pushed] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 14:25:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:25:59 +0100 Subject: [Freeipa-devel] [freeipa PR#614][closed] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Author: tiran Title: #614: [4.5] Constrain wheel package versions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/614/head:pr614 git checkout pr614 From freeipa-github-notification at redhat.com Wed Mar 22 14:26:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:26:11 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection MartinBasti commented: """ You fixed this issue, but uncover more issues, I will open particular tickets. ACK for this fix """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-288415166 From freeipa-github-notification at redhat.com Wed Mar 22 14:26:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:26:23 +0100 Subject: [Freeipa-devel] [freeipa PR#620][+ack] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 14:27:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 15:27:16 +0100 Subject: [Freeipa-devel] [freeipa PR#614][comment] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions MartinBasti commented: """ @tomaskrizek make sure that both commits are the same """ See the full comment at https://github.com/freeipa/freeipa/pull/614#issuecomment-288415527 From freeipa-github-notification at redhat.com Wed Mar 22 14:29:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:29:52 +0100 Subject: [Freeipa-devel] [freeipa PR#614][comment] [4.5] Constrain wheel package versions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/614 Title: #614: [4.5] Constrain wheel package versions tomaskrizek commented: """ @MartinBasti I checked, they are. """ See the full comment at https://github.com/freeipa/freeipa/pull/614#issuecomment-288416366 From freeipa-github-notification at redhat.com Wed Mar 22 14:32:38 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:32:38 +0100 Subject: [Freeipa-devel] [freeipa PR#620][+pushed] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 14:32:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:32:42 +0100 Subject: [Freeipa-devel] [freeipa PR#620][comment] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection tomaskrizek commented: """ master: * 772d4e3d4e9a2756e6a34e265a1219599688cde3 Fixing replica install: fix ldap connection in domlvl 0 ipa-4-5: * af4531d26ea1082acf17252e7e81cb3cd4b0c12c Fixing replica install: fix ldap connection in domlvl 0 """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-288417252 From freeipa-github-notification at redhat.com Wed Mar 22 14:32:45 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Mar 2017 15:32:45 +0100 Subject: [Freeipa-devel] [freeipa PR#620][closed] ipa-replica-install: fix domain level 0 remote LDAP connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: ipa-replica-install: fix domain level 0 remote LDAP connection Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 From freeipa-github-notification at redhat.com Wed Mar 22 14:41:26 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 15:41:26 +0100 Subject: [Freeipa-devel] [freeipa PR#622][comment] replica prepare: fix wrong IPA CA nickname in replica file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file martbab commented: """ I ran into some issues with CA deployment, but they vanished after re-provisioning my test env. Otherwise it works. """ See the full comment at https://github.com/freeipa/freeipa/pull/622#issuecomment-288420027 From freeipa-github-notification at redhat.com Wed Mar 22 14:48:53 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 15:48:53 +0100 Subject: [Freeipa-devel] [freeipa PR#622][+ack] replica prepare: fix wrong IPA CA nickname in replica file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 14:57:25 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 15:57:25 +0100 Subject: [Freeipa-devel] [freeipa PR#622][+pushed] replica prepare: fix wrong IPA CA nickname in replica file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 14:57:28 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 15:57:28 +0100 Subject: [Freeipa-devel] [freeipa PR#622][closed] replica prepare: fix wrong IPA CA nickname in replica file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Author: HonzaCholasta Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/622/head:pr622 git checkout pr622 From freeipa-github-notification at redhat.com Wed Mar 22 14:57:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 15:57:31 +0100 Subject: [Freeipa-devel] [freeipa PR#622][comment] replica prepare: fix wrong IPA CA nickname in replica file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file martbab commented: """ master: * 9939aa53630a9c6a66e83140e64ec56539891c13 replica prepare: fix wrong IPA CA nickname in replica file ipa-4-5: * df60e88e1bca6efd5ebf2a88e7825a5fd2631f08 replica prepare: fix wrong IPA CA nickname in replica file """ See the full comment at https://github.com/freeipa/freeipa/pull/622#issuecomment-288425325 From freeipa-github-notification at redhat.com Wed Mar 22 15:47:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 16:47:43 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file MartinBasti commented: """ After restore I cannot connect to webUI ``` [Wed Mar 22 16:43:48.779900 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] mod_wsgi (pid=100377): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed Mar 22 16:43:48.780002 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] Traceback (most recent call last): [Wed Mar 22 16:43:48.780059 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/share/ipa/wsgi.py", line 51, in application [Wed Mar 22 16:43:48.780592 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] return api.Backend.wsgi_dispatch(environ, start_response) [Wed Mar 22 16:43:48.780618 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__ [Wed Mar 22 16:43:48.781029 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] return self.route(environ, start_response) [Wed Mar 22 16:43:48.781050 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route [Wed Mar 22 16:43:48.781086 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] return app(environ, start_response) [Wed Mar 22 16:43:48.781110 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 913, in __call__ [Wed Mar 22 16:43:48.781146 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] self.kinit(user_principal, password, ipa_ccache_name) [Wed Mar 22 16:43:48.781162 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 947, in kinit [Wed Mar 22 16:43:48.781180 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] kinit_armor(armor_path) [Wed Mar 22 16:43:48.781215 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Wed Mar 22 16:43:48.781306 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] run(args, env=env, raiseonerr=True, capture_error=True) [Wed Mar 22 16:43:48.781331 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run [Wed Mar 22 16:43:48.781788 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] raise CalledProcessError(p.returncode, arg_string, str(output)) [Wed Mar 22 16:43:48.781873 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_100377' returned non-zero exit status 1 ``` KDc log ``` Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: ISSUE: authtime 1490197428, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): closing down fd 11 Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM, Additional pre-authentication required Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): closing down fd 11 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-288442807 From freeipa-github-notification at redhat.com Wed Mar 22 15:49:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 16:49:22 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file MartinBasti commented: """ However it fixed issue listed in ticket, so this can resolved in separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-288443377 From freeipa-github-notification at redhat.com Wed Mar 22 15:49:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 16:49:28 +0100 Subject: [Freeipa-devel] [freeipa PR#607][+ack] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 15:49:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Mar 2017 16:49:36 +0100 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3 features tiran commented: """ Full error message: ```code 406, message Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca``` Custodia issue https://github.com/latchset/custodia/issues/135 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288443491 From freeipa-github-notification at redhat.com Wed Mar 22 16:07:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 17:07:38 +0100 Subject: [Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/619#issuecomment-288449915 From freeipa-github-notification at redhat.com Wed Mar 22 16:18:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 17:18:54 +0100 Subject: [Freeipa-devel] [freeipa PR#637][+ack] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Label: +ack From freeipa-github-notification at redhat.com Wed Mar 22 16:19:51 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 17:19:51 +0100 Subject: [Freeipa-devel] [freeipa PR#637][+pushed] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 22 16:19:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 17:19:54 +0100 Subject: [Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection martbab commented: """ ipa-4-5: * 7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection master: * 7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288453968 From freeipa-github-notification at redhat.com Wed Mar 22 16:19:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Mar 2017 17:19:57 +0100 Subject: [Freeipa-devel] [freeipa PR#637][closed] ldap2: use LDAP whoami operation to retrieve bind DN for current connection In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637 From freeipa-github-notification at redhat.com Wed Mar 22 16:22:20 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 22 Mar 2017 17:22:20 +0100 Subject: [Freeipa-devel] [freeipa PR#639][opened] WebUI: Login for AD Users Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: opened PR body: """ Allows login as AD user. AD Users has its own menu specification as there is visible only its profile and list of active IPA users. https://pagure.io/freeipa/issue/3242 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-639.patch Type: text/x-diff Size: 16284 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 16:37:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 17:37:02 +0100 Subject: [Freeipa-devel] [freeipa PR#640][opened] Master replica dl0 Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Master replica dl0 Action: opened PR body: """ This patchset removes the ability of setting pkinit options on domain level 0 for server/replica installs. Also fixes a usability issue with `--no-pkinit` I noticed and did not care creating ticket for. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-640.patch Type: text/x-diff Size: 3310 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 16:37:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Mar 2017 17:37:20 +0100 Subject: [Freeipa-devel] [freeipa PR#640][edited] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: edited Changed field: title Original value: """ Master replica dl0 """ From freeipa-github-notification at redhat.com Wed Mar 22 16:45:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 17:45:11 +0100 Subject: [Freeipa-devel] [freeipa PR#641][opened] Set "KDC:Disable Last Success" by default Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Author: MartinBasti Title: #641: Set "KDC:Disable Last Success" by default Action: opened PR body: """ In big deployments enabled recording of the last sucesfull login this creates a huge changelog on DS side and cause performance issues even if this is excluded from replication. Actually this is not used directly by FreeIPA so it is safe to remove in new installations. User who need this must manually remove "KDC:Disable Last Success" using `ipa config-mod` command or WebUI. https://pagure.io/freeipa/issue/5313 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/641/head:pr641 git checkout pr641 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-641.patch Type: text/x-diff Size: 1282 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 16:47:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 17:47:19 +0100 Subject: [Freeipa-devel] [freeipa PR#641][synchronized] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Author: MartinBasti Title: #641: Set "KDC:Disable Last Success" by default Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/641/head:pr641 git checkout pr641 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-641.patch Type: text/x-diff Size: 1272 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 16:49:54 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 22 Mar 2017 17:49:54 +0100 Subject: [Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-639.patch Type: text/x-diff Size: 16469 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 16:58:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Mar 2017 17:58:16 +0100 Subject: [Freeipa-devel] [freeipa PR#642][opened] [4.4] Bump python-dns to improve processing of non-complete resolv.conf Message-ID: URL: https://github.com/freeipa/freeipa/pull/642 Author: MartinBasti Title: #642: [4.4] Bump python-dns to improve processing of non-complete resolv.conf Action: opened PR body: """ With missing IP address for nameserver olser python-dns raises an IndexError. python-dns >= 1.13 just ignores broken line https://pagure.io/freeipa/issue/6070 JFTR: 4.5+ already depends on python-dns 1.15 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/642/head:pr642 git checkout pr642 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-642.patch Type: text/x-diff Size: 1822 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 20:14:37 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 22 Mar 2017 21:14:37 +0100 Subject: [Freeipa-devel] [freeipa PR#542][synchronized] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Author: LiptonB Title: #542: Implementation independent interface for CSR generation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/542/head:pr542 git checkout pr542 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-542.patch Type: text/x-diff Size: 56083 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 22 23:18:22 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 23 Mar 2017 00:18:22 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation LiptonB commented: """ Thanks for the clarification, @HonzaCholasta. (And for the timely intervention in #579 to make it actually invisible). A new version is pushed, which uses CFFI and the unmodified openssl config format, and removes the `helper` abstraction as requested. NSS support is still broken for now, I haven't had a chance to look into the change you suggested. Let me know what you think. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-288569409 From freeipa-github-notification at redhat.com Wed Mar 22 23:19:07 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 23 Mar 2017 00:19:07 +0100 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation LiptonB commented: """ Thanks for the clarification, @HonzaCholasta. (And for the timely intervention in #579 to make it actually invisible). A new version is pushed, which uses CFFI and the unmodified openssl config format, and removes the `helper` abstraction as requested. NSS support is still broken for now, I haven't had a chance to look into the change you suggested. Let me know what you think. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-288569409 From freeipa-github-notification at redhat.com Thu Mar 23 08:20:47 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 23 Mar 2017 09:20:47 +0100 Subject: [Freeipa-devel] [freeipa PR#643][opened] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: opened PR body: """ gssproxy >= 0.7.0-2 - fixes impersonator checking mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-643.patch Type: text/x-diff Size: 1538 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 08:30:05 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 23 Mar 2017 09:30:05 +0100 Subject: [Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-643.patch Type: text/x-diff Size: 1692 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 08:47:44 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 23 Mar 2017 09:47:44 +0100 Subject: [Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-643.patch Type: text/x-diff Size: 1701 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 08:49:39 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 23 Mar 2017 09:49:39 +0100 Subject: [Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-643.patch Type: text/x-diff Size: 1742 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 08:55:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 09:55:24 +0100 Subject: [Freeipa-devel] [freeipa PR#642][+ack] [4.4] Bump python-dns to improve processing of non-complete resolv.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/642 Title: #642: [4.4] Bump python-dns to improve processing of non-complete resolv.conf Label: +ack From freeipa-github-notification at redhat.com Thu Mar 23 08:59:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 09:59:05 +0100 Subject: [Freeipa-devel] [freeipa PR#642][comment] [4.4] Bump python-dns to improve processing of non-complete resolv.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/642 Title: #642: [4.4] Bump python-dns to improve processing of non-complete resolv.conf tomaskrizek commented: """ ipa-4-4: * 951d27ecc591a71c4a1297623b6920136c01bb4b Bump python-dns to improve processing of non-complete resolv.conf """ See the full comment at https://github.com/freeipa/freeipa/pull/642#issuecomment-288655781 From freeipa-github-notification at redhat.com Thu Mar 23 08:59:08 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 09:59:08 +0100 Subject: [Freeipa-devel] [freeipa PR#642][+pushed] [4.4] Bump python-dns to improve processing of non-complete resolv.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/642 Title: #642: [4.4] Bump python-dns to improve processing of non-complete resolv.conf Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 23 08:59:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 09:59:11 +0100 Subject: [Freeipa-devel] [freeipa PR#642][closed] [4.4] Bump python-dns to improve processing of non-complete resolv.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/642 Author: MartinBasti Title: #642: [4.4] Bump python-dns to improve processing of non-complete resolv.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/642/head:pr642 git checkout pr642 From freeipa-github-notification at redhat.com Thu Mar 23 09:14:02 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 10:14:02 +0100 Subject: [Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file tomaskrizek commented: """ master: * 2612c092dd797c9c8f772c785aae1f152f06847d Backup ipa-specific httpd unit-file ipa-4-5: * 59342a7f6fffe2aaf0b8ce4e10bb41444d8fa25f Backup ipa-specific httpd unit-file """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-288659254 From freeipa-github-notification at redhat.com Thu Mar 23 09:14:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 10:14:06 +0100 Subject: [Freeipa-devel] [freeipa PR#607][+pushed] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 23 09:14:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 10:14:09 +0100 Subject: [Freeipa-devel] [freeipa PR#607][closed] Backup ipa-specific httpd unit-file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 From freeipa-github-notification at redhat.com Thu Mar 23 09:35:02 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Thu, 23 Mar 2017 10:35:02 +0100 Subject: [Freeipa-devel] [freeipa PR#644][opened] extdom: improve certificate request Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: opened PR body: """ Certificates can be assigned to multiple user so the extdom plugin must use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and return a list of fully-qualified user names. Due to issues on the SSSD side the current version of lookups by certificates didn't work at all and the changes here won't break existing clients. Related to https://pagure.io/freeipa/issue/6646 Since I used the revers lookup for the domain separator in patch I added a second patch which does this where needed in the reminder of the code as well to be consistent. Allthough using @-signs in short names is not common practice it might happen as can be see in https://pagure.io/SSSD/sssd/issue/3219. The sss_nss_getlistbycert() call is added to SSSD in https://github.com/SSSD/sssd/pull/207. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-644.patch Type: text/x-diff Size: 10256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 09:36:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Mar 2017 10:36:38 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ For the record, and I might be wrong, I did a bit of researching, the `rdn_is_primary_key` is actually misused in some cases, as RDN is the primary key for e.g. `pwpolicy` and `idrange` but these have this attribute set to `False`. I believe in the above cases, `rdn_is_primary_key` might have been used this way just so that those objects do not show the `rename` (they are not allowed to change the primary key anyway). I thought we won't need `allow_rename` at all in the end but for these cases we will probably need to keep it. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-288664689 From freeipa-github-notification at redhat.com Thu Mar 23 10:05:25 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 23 Mar 2017 11:05:25 +0100 Subject: [Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request abbra commented: """ LGTM. I read the code but since SSSD counterpart is currently on review, travis fails the build. """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-288671714 From freeipa-github-notification at redhat.com Thu Mar 23 11:10:18 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 23 Mar 2017 12:10:18 +0100 Subject: [Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin abbra commented: """ The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see what CI says. Authentication indicators' handling would need to be added in a separate PR once certmap rules would provide the indicator value. """ See the full comment at https://github.com/freeipa/freeipa/pull/575#issuecomment-288686687 From freeipa-github-notification at redhat.com Thu Mar 23 12:32:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Mar 2017 13:32:52 +0100 Subject: [Freeipa-devel] [freeipa PR#617][synchronized] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-617.patch Type: text/x-diff Size: 14886 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Mar 23 12:33:24 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 23 Mar 2017 13:33:24 +0100 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies Message-ID: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> Hi List, TL;DR we have to handle FAST channer establishment when KDC is not issued PKINIT keypair I have spent some time studying and fixing bugs/regressions caused by incomplete consideration of PKINIT and anonymous principal setup regarding to * replicas standed up against old (3.0.0) masters * domain level 0 topologies * CA-less deployments I want to discuss the impact of these findings on existing functionality and how to fix them so that 4.5.1 release will be more usable and free of subtle but serious bugs (more on this later). >From conversation from Alexander and Simo it follows that anonymous PKINIT feature is supposed to be used in domain level 1 deployments because only these guarantee the presence of the features (CA ACLs and custom certificate profiles) which allow for issuing certificates suitable for PKINIT authentication. This leads to the following considerations: * on DL0 enforce no_pkinit on server/replica deployments * during upgrade of DL0 deployments, do not issue PKINIT certificates * during upgrade of DL1 deployments issue PKINIT certs * extend ipa-server-certinstall to install/issue PKINIT certificates after DL0/DL1 ugrade (have to be manually). However, I found out that the only case when anonymous PKINIT actually works is for fresh DL1 server install and upgrade and install of 4.5.0 replica against 4.5.0 master in DL1. The following use-cases either fail to install or leave the system with unusable password auth (e.g. WebUI login): * setting up 4.5 replica against <4.5 master fails during anonymous principal setup[1] (ticket states domain level 0, but DL1 is also affected) * setting up server-replica with `no_pkinit` option (CA-full or CA-less) leaves the installation without non-working WebUI as anonymous PKINIT does not work (ticket incoming) * If we restrict DL0 installs to force no_pkinit[2] we will be left with whole topologies where anonymous PKINIT does not work, so no WebUI auth for them We now have to decide how to properly support or avoid non-PKINIT deployments. The current code which handles armoring of password auth requests[3] does not actually work without PKINIT certificates, the fallback mechanism still fails to obtain armor ccache[4]. I have concluded that for non-PKINIT cases we have to use the old way to armor TGT request (i.e. establish fast channel by kinit as service principal), but this means that the framewrok has to use a service principal whose keytab it can read and use. After privilege separation, however, we do not have direct access to HTTP keytab so how should we proceed in this case? We definitely need to discuss this further. Please state your suggestions and comments, and sorry for the long mail. [1] https://pagure.io/freeipa/issue/6799 [2] https://github.com/freeipa/freeipa/pull/640 [3] https://github.com/freeipa/freeipa/blob/master/ipalib/install/kinit.py#L100 [4] https://paste.fedoraproject.org/paste/AcM6ymNxg~pipF~1ZIfbdF5M1UNdIGYhyRLivL9gydE=/ -- Martin Babinsky From freeipa-github-notification at redhat.com Thu Mar 23 12:37:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Mar 2017 13:37:59 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ The latest patch removes the `rdn_is_private_key` attribute, replaces it with `allow_rename` which actually says correctly what's happening. Also, the decision whether primary key is in RDN is decided on checking whether the primary key is in RDN rather than on anything else. Also added a comment explaining that the `modrdn` operation is performed also when `setattr` is doing changes to the primary key + RDN because it was far from obvious in the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-288705598 From freeipa-github-notification at redhat.com Thu Mar 23 12:43:36 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Mar 2017 13:43:36 +0100 Subject: [Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-639.patch Type: text/x-diff Size: 18028 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 13:06:43 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 23 Mar 2017 14:06:43 +0100 Subject: [Freeipa-devel] [freeipa PR#645][opened] Create temporaty directories at the begining of uninstall Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Author: dkupka Title: #645: Create temporaty directories at the begining of uninstall Action: opened PR body: """ Since commit 38c6689 temporary directories are no longer created at package install time. Instead they're created at server install time. Some steps in uninstall also assume that temporary direcories exist. Creating the directories in the begining of server uninstall ensure that the uninstall will go through. https://pagure.io/freeipa/issue/6715 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/645/head:pr645 git checkout pr645 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-645.patch Type: text/x-diff Size: 1160 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 14:02:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Mar 2017 15:02:10 +0100 Subject: [Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find stlaz commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/634#issuecomment-288728368 From freeipa-github-notification at redhat.com Thu Mar 23 14:02:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Mar 2017 15:02:15 +0100 Subject: [Freeipa-devel] [freeipa PR#634][+ack] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find Label: +ack From abokovoy at redhat.com Thu Mar 23 14:08:00 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Mar 2017 16:08:00 +0200 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> Message-ID: <20170323140800.5fjdhztnkr576u2c@redhat.com> On to, 23 maalis 2017, Martin Babinsky wrote: >Hi List, > >TL;DR we have to handle FAST channer establishment when KDC is not issued >PKINIT keypair > >I have spent some time studying and fixing bugs/regressions caused by >incomplete consideration of PKINIT and anonymous principal setup regarding to > >* replicas standed up against old (3.0.0) masters >* domain level 0 topologies >* CA-less deployments > >I want to discuss the impact of these findings on existing functionality and >how to fix them so that 4.5.1 release will be more usable and free of subtle >but serious bugs (more on this later). > >From conversation from Alexander and Simo it follows that anonymous PKINIT >feature is supposed to be used in domain level 1 deployments because only these >guarantee the presence of the features (CA ACLs and custom certificate >profiles) which allow for issuing certificates suitable for PKINIT >authentication. This leads to the following considerations: > >* on DL0 enforce no_pkinit on server/replica deployments >* during upgrade of DL0 deployments, do not issue PKINIT certificates >* during upgrade of DL1 deployments issue PKINIT certs >* extend ipa-server-certinstall to install/issue PKINIT certificates after > DL0/DL1 ugrade (have to be manually). > >However, I found out that the only case when anonymous PKINIT actually works is >for fresh DL1 server install and upgrade and install of 4.5.0 replica against >4.5.0 master in DL1. The following use-cases either fail to install or leave >the system with unusable password auth (e.g. WebUI login): > >* setting up 4.5 replica against <4.5 master fails during anonymous > principal setup[1] (ticket states domain level 0, but DL1 is also > affected) >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) > leaves the installation without non-working WebUI as anonymous PKINIT does > not work (ticket incoming) >* If we restrict DL0 installs to force no_pkinit[2] we will be left with > whole topologies where anonymous PKINIT does not work, so no WebUI auth > for them > >We now have to decide how to properly support or avoid non-PKINIT deployments. >The current code which handles armoring of password auth requests[3] does not >actually work without PKINIT certificates, the fallback mechanism still fails >to obtain armor ccache[4]. > >I have concluded that for non-PKINIT cases we have >to use the old way to armor TGT request (i.e. establish fast channel by >kinit as service principal), but this means that the framewrok has to use a >service principal whose keytab it can read and use. After privilege separation, >however, we do not have direct access to HTTP keytab so how should we proceed >in this case? We definitely need to discuss this further. > >Please state your suggestions and comments, and sorry for the long mail. Thanks, Martin, for the thorough analysis. I need to clarify *why* we need working Anonymous PKINIT. There are two separate needs here: - Enable clients with no access to a separate key to be usable for 2FA accounts. This can be best explained as to support Kerberos auth from non-enrolled machines or machines where no SSSD is in use. In such cases we cannot use another credentials to create FAST channel and pass 2FA creds with kinit. - Enable IPA framework to perform password-based login for 2FA. With privilege separation we don't have access to HTTP/... principal's keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy support FAST channel wrapping for explicitly specified password+2FA token. For DL0 we do not officially support PKINIT, so first case is not relevant. However, second case is what we need even on DL0 because otherwise IPA framework does not work, as you have witnessed. We thought that we could solve this problem by re-using anonymous principal as 'normal' principal -- by fetching its keytab and authenticating with the keys from it. But for anonymous principal MIT Kerberos library does verification of the session key and requires it to be provided with PKINIT PA DATA when there is no wrapping principal keys. See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 ---- The Kerberos client can use the client's long-term keys, the client's X.509 certificates [RFC4556], or any other pre-authentication data, to authenticate to the KDC and requests an anonymous ticket in an AS exchange where the client's identity is known to the KDC. If the client in the AS request is anonymous, the anonymous KDC option MUST be set in the request. Otherwise, the KDC MUST return a KRB-ERROR message with the code KDC_ERR_BADOPTION. ---- Corresponding code in MIT Kerberos is this: https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 So, using keytab for anonymous principal does not work. We either can have another principal to perform wrapping or actually fix PKINIT for DL0 for the purpose of IPA framework. The latter is easy to achieve. Certmonger maintains two local CAs: SelfSign and 'local': # getcert list-cas [....] CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit The first one self-signs whatever request you provide, the second one signs it with a locally generated CA which is unique to each host. The latter one doesn't perform any checks and simply signs the request. Obviously, relying on certmonger's local CA to provide PKINIT to other IPA clients does not scale. But we already estblished we wouldn't do that. In IPA framework which runs on the very same host as KDC, we can have access to the same public key KDC would be using for itself and can kinit with it as an anchor: kinit -X x509_anchor=/path/to/local-ca.crt -n This approach allows us to avoid any modification to /etc/krb5.conf on IPA master. An IPA framework would only need to have access to the public key of local CA. And local CA is something certmonger provides since its first run. Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In practice this will mean we have to: - replace local CA-issued KDC certificate if we were upgraded to become IPA-managed CA - replace local CA-issued KDC certificate with externally provided KDC certificate if we were upgraded and provided with explicit certificates This is certainly doable and primary benefit is that we wouldn't need to have any fallbacks anymore. We would always use Anonymous PKINIT within the IPA framework and be done with it. -- / Alexander Bokovoy From ssorce at redhat.com Thu Mar 23 14:36:57 2017 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Mar 2017 10:36:57 -0400 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170323140800.5fjdhztnkr576u2c@redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> Message-ID: <1490279817.5861.25.camel@redhat.com> On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: > On to, 23 maalis 2017, Martin Babinsky wrote: > >Hi List, > > > >TL;DR we have to handle FAST channer establishment when KDC is not issued > >PKINIT keypair > > > >I have spent some time studying and fixing bugs/regressions caused by > >incomplete consideration of PKINIT and anonymous principal setup regarding to > > > >* replicas standed up against old (3.0.0) masters > >* domain level 0 topologies > >* CA-less deployments > > > >I want to discuss the impact of these findings on existing functionality and > >how to fix them so that 4.5.1 release will be more usable and free of subtle > >but serious bugs (more on this later). > > > >From conversation from Alexander and Simo it follows that anonymous PKINIT > >feature is supposed to be used in domain level 1 deployments because only these > >guarantee the presence of the features (CA ACLs and custom certificate > >profiles) which allow for issuing certificates suitable for PKINIT > >authentication. This leads to the following considerations: > > > >* on DL0 enforce no_pkinit on server/replica deployments > >* during upgrade of DL0 deployments, do not issue PKINIT certificates > >* during upgrade of DL1 deployments issue PKINIT certs > >* extend ipa-server-certinstall to install/issue PKINIT certificates after > > DL0/DL1 ugrade (have to be manually). > > > >However, I found out that the only case when anonymous PKINIT actually works is > >for fresh DL1 server install and upgrade and install of 4.5.0 replica against > >4.5.0 master in DL1. The following use-cases either fail to install or leave > >the system with unusable password auth (e.g. WebUI login): > > > >* setting up 4.5 replica against <4.5 master fails during anonymous > > principal setup[1] (ticket states domain level 0, but DL1 is also > > affected) > >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) > > leaves the installation without non-working WebUI as anonymous PKINIT does > > not work (ticket incoming) > >* If we restrict DL0 installs to force no_pkinit[2] we will be left with > > whole topologies where anonymous PKINIT does not work, so no WebUI auth > > for them > > > >We now have to decide how to properly support or avoid non-PKINIT deployments. > >The current code which handles armoring of password auth requests[3] does not > >actually work without PKINIT certificates, the fallback mechanism still fails > >to obtain armor ccache[4]. > > > >I have concluded that for non-PKINIT cases we have > >to use the old way to armor TGT request (i.e. establish fast channel by > >kinit as service principal), but this means that the framewrok has to use a > >service principal whose keytab it can read and use. After privilege separation, > >however, we do not have direct access to HTTP keytab so how should we proceed > >in this case? We definitely need to discuss this further. > > > >Please state your suggestions and comments, and sorry for the long mail. > Thanks, Martin, for the thorough analysis. > > I need to clarify *why* we need working Anonymous PKINIT. There are two > separate needs here: > > - Enable clients with no access to a separate key to be usable for 2FA > accounts. This can be best explained as to support Kerberos auth from > non-enrolled machines or machines where no SSSD is in use. In such > cases we cannot use another credentials to create FAST channel and > pass 2FA creds with kinit. > > - Enable IPA framework to perform password-based login for 2FA. With > privilege separation we don't have access to HTTP/... principal's > keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy > support FAST channel wrapping for explicitly specified password+2FA > token. > > For DL0 we do not officially support PKINIT, so first case is not > relevant. However, second case is what we need even on DL0 because > otherwise IPA framework does not work, as you have witnessed. > > We thought that we could solve this problem by re-using anonymous > principal as 'normal' principal -- by fetching its keytab and > authenticating with the keys from it. But for anonymous principal MIT > Kerberos library does verification of the session key and requires it to > be provided with PKINIT PA DATA when there is no wrapping principal > keys. > > See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 > > ---- > The Kerberos client can use the client's long-term keys, the client's > X.509 certificates [RFC4556], or any other pre-authentication data, > to authenticate to the KDC and requests an anonymous ticket in an AS > exchange where the client's identity is known to the KDC. > > If the client in the AS request is anonymous, the anonymous KDC > option MUST be set in the request. Otherwise, the KDC MUST return a > KRB-ERROR message with the code KDC_ERR_BADOPTION. > ---- > > Corresponding code in MIT Kerberos is this: > https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 > > So, using keytab for anonymous principal does not work. We either can > have another principal to perform wrapping or actually fix PKINIT for > DL0 for the purpose of IPA framework. > > The latter is easy to achieve. Certmonger maintains two local CAs: > SelfSign and 'local': > > # getcert list-cas > [....] > CA 'SelfSign': > is-default: no > ca-type: INTERNAL:SELF > next-serial-number: 01 > CA 'local': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/local-submit > > The first one self-signs whatever request you provide, the second one > signs it with a locally generated CA which is unique to each host. The > latter one doesn't perform any checks and simply signs the request. > > Obviously, relying on certmonger's local CA to provide PKINIT to other > IPA clients does not scale. But we already estblished we wouldn't do > that. In IPA framework which runs on the very same host as KDC, we can > have access to the same public key KDC would be using for itself and can > kinit with it as an anchor: > > kinit -X x509_anchor=/path/to/local-ca.crt -n > > This approach allows us to avoid any modification to /etc/krb5.conf on > IPA master. An IPA framework would only need to have access to the > public key of local CA. And local CA is something certmonger provides > since its first run. > > Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In > practice this will mean we have to: > > - replace local CA-issued KDC certificate if we were upgraded to become > IPA-managed CA > > - replace local CA-issued KDC certificate with externally provided KDC > certificate if we were upgraded and provided with explicit certificates > > This is certainly doable and primary benefit is that we wouldn't need to > have any fallbacks anymore. We would always use Anonymous PKINIT within > the IPA framework and be done with it. Just to recap the reason to support PKINIT locally is for supporting 2FA in the WebUI which is a hard requirement. Using the local CA will make this work for local logins ONLY and this is OK. The kinit command should really be called with this option: x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work regardless of what CA cert is there (the local one or the real CA one). The only issue will be handling SELinux issues, if those are a problem we can also simply copy the local-ca.crt in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. We would need to make sure we copy there the correct CA cert for the job (certmonger's local-ca crt if no pkinit is enabled or whatever CA cert we are given if pkinit is enabled). Simo. From mbasti at redhat.com Thu Mar 23 14:39:51 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Mar 2017 15:39:51 +0100 Subject: [Freeipa-devel] [DRAFT] release notes FreeIPA 4.4.4 Message-ID: <72b6b658-50fb-a9a6-c84c-02497e81b8c6@redhat.com> Please check the draft of the release notes for FreeIPA 4.4.4 release: http://www.freeipa.org/page/Releases/4.4.4 Martin^2 From mbasti at redhat.com Thu Mar 23 14:41:30 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Mar 2017 15:41:30 +0100 Subject: [Freeipa-devel] [DRAFT] release notes FreeIPA 4.3.3 Message-ID: <9d705ae5-0cf4-446b-bf4a-cf19a76d0a2f@redhat.com> Please check the draft of the release notes for FreeIPA 4.3.3 release: http://www.freeipa.org/page/Releases/4.3.3 Martin^2 From abokovoy at redhat.com Thu Mar 23 14:46:20 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Mar 2017 16:46:20 +0200 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <1490279817.5861.25.camel@redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> <1490279817.5861.25.camel@redhat.com> Message-ID: <20170323144620.5gurhtdx2dkv57cy@redhat.com> On to, 23 maalis 2017, Simo Sorce wrote: >On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: >> On to, 23 maalis 2017, Martin Babinsky wrote: >> >Hi List, >> > >> >TL;DR we have to handle FAST channer establishment when KDC is not issued >> >PKINIT keypair >> > >> >I have spent some time studying and fixing bugs/regressions caused by >> >incomplete consideration of PKINIT and anonymous principal setup regarding to >> > >> >* replicas standed up against old (3.0.0) masters >> >* domain level 0 topologies >> >* CA-less deployments >> > >> >I want to discuss the impact of these findings on existing functionality and >> >how to fix them so that 4.5.1 release will be more usable and free of subtle >> >but serious bugs (more on this later). >> > >> >From conversation from Alexander and Simo it follows that anonymous PKINIT >> >feature is supposed to be used in domain level 1 deployments because only these >> >guarantee the presence of the features (CA ACLs and custom certificate >> >profiles) which allow for issuing certificates suitable for PKINIT >> >authentication. This leads to the following considerations: >> > >> >* on DL0 enforce no_pkinit on server/replica deployments >> >* during upgrade of DL0 deployments, do not issue PKINIT certificates >> >* during upgrade of DL1 deployments issue PKINIT certs >> >* extend ipa-server-certinstall to install/issue PKINIT certificates after >> > DL0/DL1 ugrade (have to be manually). >> > >> >However, I found out that the only case when anonymous PKINIT actually works is >> >for fresh DL1 server install and upgrade and install of 4.5.0 replica against >> >4.5.0 master in DL1. The following use-cases either fail to install or leave >> >the system with unusable password auth (e.g. WebUI login): >> > >> >* setting up 4.5 replica against <4.5 master fails during anonymous >> > principal setup[1] (ticket states domain level 0, but DL1 is also >> > affected) >> >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) >> > leaves the installation without non-working WebUI as anonymous PKINIT does >> > not work (ticket incoming) >> >* If we restrict DL0 installs to force no_pkinit[2] we will be left with >> > whole topologies where anonymous PKINIT does not work, so no WebUI auth >> > for them >> > >> >We now have to decide how to properly support or avoid non-PKINIT deployments. >> >The current code which handles armoring of password auth requests[3] does not >> >actually work without PKINIT certificates, the fallback mechanism still fails >> >to obtain armor ccache[4]. >> > >> >I have concluded that for non-PKINIT cases we have >> >to use the old way to armor TGT request (i.e. establish fast channel by >> >kinit as service principal), but this means that the framewrok has to use a >> >service principal whose keytab it can read and use. After privilege separation, >> >however, we do not have direct access to HTTP keytab so how should we proceed >> >in this case? We definitely need to discuss this further. >> > >> >Please state your suggestions and comments, and sorry for the long mail. >> Thanks, Martin, for the thorough analysis. >> >> I need to clarify *why* we need working Anonymous PKINIT. There are two >> separate needs here: >> >> - Enable clients with no access to a separate key to be usable for 2FA >> accounts. This can be best explained as to support Kerberos auth from >> non-enrolled machines or machines where no SSSD is in use. In such >> cases we cannot use another credentials to create FAST channel and >> pass 2FA creds with kinit. >> >> - Enable IPA framework to perform password-based login for 2FA. With >> privilege separation we don't have access to HTTP/... principal's >> keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy >> support FAST channel wrapping for explicitly specified password+2FA >> token. >> >> For DL0 we do not officially support PKINIT, so first case is not >> relevant. However, second case is what we need even on DL0 because >> otherwise IPA framework does not work, as you have witnessed. >> >> We thought that we could solve this problem by re-using anonymous >> principal as 'normal' principal -- by fetching its keytab and >> authenticating with the keys from it. But for anonymous principal MIT >> Kerberos library does verification of the session key and requires it to >> be provided with PKINIT PA DATA when there is no wrapping principal >> keys. >> >> See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 >> >> ---- >> The Kerberos client can use the client's long-term keys, the client's >> X.509 certificates [RFC4556], or any other pre-authentication data, >> to authenticate to the KDC and requests an anonymous ticket in an AS >> exchange where the client's identity is known to the KDC. >> >> If the client in the AS request is anonymous, the anonymous KDC >> option MUST be set in the request. Otherwise, the KDC MUST return a >> KRB-ERROR message with the code KDC_ERR_BADOPTION. >> ---- >> >> Corresponding code in MIT Kerberos is this: >> https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 >> >> So, using keytab for anonymous principal does not work. We either can >> have another principal to perform wrapping or actually fix PKINIT for >> DL0 for the purpose of IPA framework. >> >> The latter is easy to achieve. Certmonger maintains two local CAs: >> SelfSign and 'local': >> >> # getcert list-cas >> [....] >> CA 'SelfSign': >> is-default: no >> ca-type: INTERNAL:SELF >> next-serial-number: 01 >> CA 'local': >> is-default: no >> ca-type: EXTERNAL >> helper-location: /usr/libexec/certmonger/local-submit >> >> The first one self-signs whatever request you provide, the second one >> signs it with a locally generated CA which is unique to each host. The >> latter one doesn't perform any checks and simply signs the request. >> >> Obviously, relying on certmonger's local CA to provide PKINIT to other >> IPA clients does not scale. But we already estblished we wouldn't do >> that. In IPA framework which runs on the very same host as KDC, we can >> have access to the same public key KDC would be using for itself and can >> kinit with it as an anchor: >> >> kinit -X x509_anchor=/path/to/local-ca.crt -n >> >> This approach allows us to avoid any modification to /etc/krb5.conf on >> IPA master. An IPA framework would only need to have access to the >> public key of local CA. And local CA is something certmonger provides >> since its first run. >> >> Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In >> practice this will mean we have to: >> >> - replace local CA-issued KDC certificate if we were upgraded to become >> IPA-managed CA >> >> - replace local CA-issued KDC certificate with externally provided KDC >> certificate if we were upgraded and provided with explicit certificates >> >> This is certainly doable and primary benefit is that we wouldn't need to >> have any fallbacks anymore. We would always use Anonymous PKINIT within >> the IPA framework and be done with it. > >Just to recap the reason to support PKINIT locally is for supporting 2FA >in the WebUI which is a hard requirement. Correct. >Using the local CA will make this work for local logins ONLY and this is >OK. >The kinit command should really be called with this option: >x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work >regardless of what CA cert is there (the local one or the real CA one). The option is -X x509_anchor=... >The only issue will be handling SELinux issues, if those are a problem >we can also simply copy the local-ca.crt >in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. I think we can do that in pre-start hook in httpd.service.d/ipa.conf >We would need to make sure we copy there the correct CA cert for the job >(certmonger's local-ca crt if no pkinit is enabled or whatever CA cert >we are given if pkinit is enabled). > -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Thu Mar 23 14:49:55 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Thu, 23 Mar 2017 15:49:55 +0100 Subject: [Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-575.patch Type: text/x-diff Size: 26395 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 14:53:10 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Mar 2017 15:53:10 +0100 Subject: [Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-639.patch Type: text/x-diff Size: 18800 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 14:54:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Mar 2017 15:54:51 +0100 Subject: [Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users pvomacka commented: """ I implemented all comments which you proposed and I also changed menu of AD user selfservice - I removed User tab and renamed User ID override to Profile. """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-288744985 From freeipa-github-notification at redhat.com Thu Mar 23 15:23:41 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Mar 2017 16:23:41 +0100 Subject: [Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-470.patch Type: text/x-diff Size: 2770 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 16:23:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Mar 2017 17:23:30 +0100 Subject: [Freeipa-devel] [freeipa PR#646][opened] [4.4] FreeIPA 4.4.4 translations Message-ID: URL: https://github.com/freeipa/freeipa/pull/646 Author: MartinBasti Title: #646: [4.4] FreeIPA 4.4.4 translations Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/646/head:pr646 git checkout pr646 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-646.patch Type: text/x-diff Size: 24415 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 16:37:16 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:37:16 +0100 Subject: [Freeipa-devel] [freeipa PR#646][+ack] [4.4] FreeIPA 4.4.4 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/646 Title: #646: [4.4] FreeIPA 4.4.4 translations Label: +ack From freeipa-github-notification at redhat.com Thu Mar 23 16:38:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:38:31 +0100 Subject: [Freeipa-devel] [freeipa PR#646][+pushed] [4.4] FreeIPA 4.4.4 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/646 Title: #646: [4.4] FreeIPA 4.4.4 translations Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 23 16:38:35 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:38:35 +0100 Subject: [Freeipa-devel] [freeipa PR#646][comment] [4.4] FreeIPA 4.4.4 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/646 Title: #646: [4.4] FreeIPA 4.4.4 translations tomaskrizek commented: """ ipa-4-4: * e7beb9a2ae5349525119ee072eebcc385f01c68e FreeIPA 4.4.4 translations """ See the full comment at https://github.com/freeipa/freeipa/pull/646#issuecomment-288780894 From freeipa-github-notification at redhat.com Thu Mar 23 16:38:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:38:39 +0100 Subject: [Freeipa-devel] [freeipa PR#646][closed] [4.4] FreeIPA 4.4.4 translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/646 Author: MartinBasti Title: #646: [4.4] FreeIPA 4.4.4 translations Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/646/head:pr646 git checkout pr646 From freeipa-github-notification at redhat.com Thu Mar 23 16:42:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Mar 2017 17:42:07 +0100 Subject: [Freeipa-devel] [freeipa PR#647][opened] [4.3] Update Contributors.txt Message-ID: URL: https://github.com/freeipa/freeipa/pull/647 Author: MartinBasti Title: #647: [4.3] Update Contributors.txt Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/647/head:pr647 git checkout pr647 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-647.patch Type: text/x-diff Size: 1189 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 16:50:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Mar 2017 17:50:17 +0100 Subject: [Freeipa-devel] [freeipa PR#648][opened] [4.4] Update Contributors.txt Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Author: MartinBasti Title: #648: [4.4] Update Contributors.txt Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/648/head:pr648 git checkout pr648 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-648.patch Type: text/x-diff Size: 2751 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 16:53:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Mar 2017 17:53:56 +0100 Subject: [Freeipa-devel] [freeipa PR#648][synchronized] [4.4] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Author: MartinBasti Title: #648: [4.4] Update Contributors.txt Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/648/head:pr648 git checkout pr648 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-648.patch Type: text/x-diff Size: 2785 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 16:54:41 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:54:41 +0100 Subject: [Freeipa-devel] [freeipa PR#648][+ack] [4.4] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Title: #648: [4.4] Update Contributors.txt Label: +ack From freeipa-github-notification at redhat.com Thu Mar 23 16:54:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:54:49 +0100 Subject: [Freeipa-devel] [freeipa PR#647][+ack] [4.3] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/647 Title: #647: [4.3] Update Contributors.txt Label: +ack From freeipa-github-notification at redhat.com Thu Mar 23 16:58:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:58:49 +0100 Subject: [Freeipa-devel] [freeipa PR#647][+pushed] [4.3] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/647 Title: #647: [4.3] Update Contributors.txt Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 23 16:58:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:58:52 +0100 Subject: [Freeipa-devel] [freeipa PR#647][comment] [4.3] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/647 Title: #647: [4.3] Update Contributors.txt tomaskrizek commented: """ ipa-4-3: * 4ce58141cce0a58ec896b93bc1409a56a88c7700 Update Contributors.txt """ See the full comment at https://github.com/freeipa/freeipa/pull/647#issuecomment-288787577 From freeipa-github-notification at redhat.com Thu Mar 23 16:58:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:58:55 +0100 Subject: [Freeipa-devel] [freeipa PR#647][closed] [4.3] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/647 Author: MartinBasti Title: #647: [4.3] Update Contributors.txt Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/647/head:pr647 git checkout pr647 From freeipa-github-notification at redhat.com Thu Mar 23 16:59:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:59:33 +0100 Subject: [Freeipa-devel] [freeipa PR#648][+pushed] [4.4] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Title: #648: [4.4] Update Contributors.txt Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 23 16:59:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:59:36 +0100 Subject: [Freeipa-devel] [freeipa PR#648][comment] [4.4] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Title: #648: [4.4] Update Contributors.txt tomaskrizek commented: """ ipa-4-4: * b150a7a9941893d11d4bccc4f0e1e2bd4b27d289 Update Contributors.txt """ See the full comment at https://github.com/freeipa/freeipa/pull/648#issuecomment-288787836 From freeipa-github-notification at redhat.com Thu Mar 23 16:59:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Mar 2017 17:59:39 +0100 Subject: [Freeipa-devel] [freeipa PR#648][closed] [4.4] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/648 Author: MartinBasti Title: #648: [4.4] Update Contributors.txt Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/648/head:pr648 git checkout pr648 From mbasti at redhat.com Thu Mar 23 18:15:52 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Mar 2017 19:15:52 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 4.4.4 Message-ID: <03a0c3e1-a1f6-638f-e550-abff5f8c846f@redhat.com> Release date: 2017-03-23 The FreeIPA team would like to announce FreeIPA 4.4.4 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository . This announcement is also available at. == Highlights in 4.4.4 == === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.4.4 is a stabilization release for the features delivered as a part of 4.4.0. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Resolved tickets == * 6776 krb5 1.15 broke DAL principal free * 6738 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password * 6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590) * 6647 batch param compatibility is incorrect * 6608 IPA server installation should check if IPv6 stack is enabled * 6600 Legacy client tests doesn't have tree domain role. * 6588 replication race condition prevents IPA to install * 6575 ipa-replica-install fails on requesting DS cert when master is not configured with IPv6 * 6070 ipa-replica-install fails to install when resolv.conf incomplete entries == Detailed changelog since 4.4.3 == === Alexander Bokovoy (1) === * ipa-kdb: support KDB DAL version 6.1 === David Kupka (1) === * ipapython.ipautil.nolog_replace: Do not replace empty value === Florence Blanc-Renaud (1) === * Do not configure PKI ajp redirection to use "::1" === Fraser Tweedale (2) === * ca: correctly authorise ca-del, ca-enable and ca-disable * Set up DS TLS on replica in CA-less topology === Ganna Kaihorodova (1) === * Tests: Add tree root domain role in legacy client tests === Jan Cholasta (1) === * compat: fix `Any` params in `batch` and `dnsrecord` === Martin Basti (7) === * Become IPA 4.4.4 * Update Contributors.txt * FreeIPA 4.4.4 translations * Bump python-dns to improve processing of non-complete resolv.conf * Use proper logging for error messages * Wait until HTTPS principal entry is replicated to replica * wait_for_entry: use only DN as parameter === Stanislav Laznicka (2) === * Add debug log in case cookie retrieval went wrong * Fix cookie with Max-Age processing === Tomas Krizek (1) === * server install: require IPv6 stack to be enabled === Thorsten Scherf (1) === * added ssl verification using IPA trust anchor -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 23 19:06:58 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Mar 2017 20:06:58 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 4.3.3 Message-ID: Release date: 2017-03-23 The FreeIPA team would like to announce FreeIPA 4.3.3 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Please note that this is the last upstream release of FreeIPA 4.3.x branch. This announcement is also available at . == Highlights in 4.3.3 == === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.3.3 is a stabilization release for the features delivered as a part of 4.3.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Resolved tickets == * 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies * 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy * 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod * 6485 Document make_delete_command method in UserTracker * 6378 Tests: Fix failing sudo test * 6317 backport #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin * 6316 backport #6199 Received ACIError instead of DuplicatedError in stageuser_tests * 6311 Fix or remove the `LDAPUpdate.update_from_dict` method * 6287 Refer to nodes in TestWrongClientDomain replica promotion tests as replicas * 6284 Tests: avoid skipping tests because of missing files when running as outoftree * 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298) * 6262 Fix integration sudo tests setup and checks * 6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed * 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires * 6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade * 6177 ca-less test are broken - invalid usage of ipautil.run * 6167 Incorrect domainlevel info in tests * 6166 Subsequent external CA installation fails * 6147 Failing automember tests due to manager output normalization * 6134 Command "ipa-replica-prepare" not allowed to create line replication topology * 6120 ipa-adtrust-install: when running with --netbios-name="", the NetBIOS name is changed without notification * 6076 Mulitple domain Active Directory Trust conflict * 6056 custodia.conf and server.keys file is world-readable. * 6016 ipa-ca-install on replica tries to connect to master:8443 * 5696 Add conflicts with bind-chroot to spec. == Detailed changelog since 4.3.2 == === Alexander Bokovoy (5) === * ipa-kdb: search for password policies globally * ipa-kdb: simplify trusted domain parent search * trust: make sure ID range is created for the child domain even if it exists * trust: automatically resolve DNS trust conflicts for triangle trusts * ipaserver/dcerpc: reformat to make the code closer to pep8 === Christian Heimes (3) === * Use RSA-OAEP instead of RSA PKCS#1 v1.5 * Secure permissions of Custodia server.keys * RedHatCAService should wait for local Dogtag instance === David Kupka (1) === * password policy: Add explicit default password policy for hosts and services === Fraser Tweedale (2) === * certprofile-mod: correctly authorise config update * cert-revoke: fix permission check bypass (CVE-2016-5404) === Ganna Kaihorodova (1) === * Fix for integration tests replication layouts === Jan Cholasta (2) === * Revert "spec: add conflict with bind-chroot to freeipa-server-dns" * install: fix external CA cert validation === Lenka Doudova (7) === * Document make_delete_command method in UserTracker * Tests: Fix integration sudo test * Tests: Fix integration sudo tests setup and checks * Tests: Avoid skipping tests due to missing files * Raise error when running ipa-adtrust-install with empty netbios--name * Tests: Fix failing automember tests * Tests: Remove DNS configuration from trust tests === Martin Babinsky (1) === * add python-libsss_nss_idmap and python-sss to BuildRequires === Martin Basti (5) === * Become IPA 4.3.3 * Update Contributors.txt * Raise DuplicatedEnrty error when user exists in delete_container * Catch DNS exceptions during emptyzones named.conf upgrade * Start named during configuration upgrade. === Oleg Fayans (3) === * Changed addressing to the client hosts to be replicas * Disabled raiseonerr in kinit call during topology level check * Fixed incorrect domainlevel determination in tests === Peter Lacko (1) === * Test URIs in certificate. === Petr Spacek (3) === * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin * DNS server upgrade: do not fail when DNS server did not respond * Fix ipa-replica-prepare's error message about missing local CA instance === Petr Vobornik (1) === * ca-less tests: fix getting cert in pem format from nssdb === Stanislav Laznicka (3) === * Add debug log in case cookie retrieval went wrong * Fix cookie with Max-Age processing * Remove update_from_dict() method === Tomas Krizek (1) === * Keep NSS trust flags of existing certificates -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Mar 23 20:29:52 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 21:29:52 +0100 Subject: [Freeipa-devel] [freeipa PR#649][opened] Session cookie storage and handling fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: opened PR body: """ This patchset improves the behavior of the client in various ways. - Avoids unbounded growth of FILE ccaches - Fix regression with session cookies updates not being retrievable with FILE caches - Fix client authentication to better handle servers that may decide our cookie is not good anymore """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-649.patch Type: text/x-diff Size: 16071 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 20:30:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 21:30:21 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Note I am still running tests, but I think the patchset is good for review already. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288850417 From freeipa-github-notification at redhat.com Thu Mar 23 20:31:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 21:31:01 +0100 Subject: [Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ This PR has been obsoleted by #649 """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288850585 From freeipa-github-notification at redhat.com Thu Mar 23 20:31:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 21:31:04 +0100 Subject: [Freeipa-devel] [freeipa PR#638][closed] ipalib/rpc.py: Fix session handling for KEYRING: ccaches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/638/head:pr638 git checkout pr638 From freeipa-github-notification at redhat.com Thu Mar 23 21:03:14 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 22:03:14 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ The FILE ccache is still growing because we keep getting updated cookies (where the only thing that changes is the expiration date. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288859035 From freeipa-github-notification at redhat.com Thu Mar 23 22:34:18 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 23:34:18 +0100 Subject: [Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-649.patch Type: text/x-diff Size: 18632 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 23 22:35:34 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 23 Mar 2017 23:35:34 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I aded a 4th patch to address the FILE ccache growth issue. It is a bit unorthodox but it works. Please review carefully and let me know if you are ok with this """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288881336 From freeipa-github-notification at redhat.com Fri Mar 24 07:40:37 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 24 Mar 2017 08:40:37 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ I tested the whole patchset. It worked for me first time I've got cookie expired. However, it broke in ~10 minutes afterwards -- apparently, keyring ccache was empty, according to `klist`. After few more minutes I was able to list TGT from the same ccache and `ipa` CLI worked again. I suspect we created something that MIT Kerberos library does not really understand. ```text [10609] 1490339971.189122: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for admin at XS.IPA.COOL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=NtVuqNjq7jKtuDiw9lDSxHI%2frs5vd4UZ9o1sSZjDAemTImufljlG66i3l6MgA%2fmxtC0kPQgUqUEVcFJ04GWKOzK%2bYeTTEeAXrs59sNUq4VZzmRDTbLW%2by9ccodzlUdoeIiDVKdJsGHlBKyKTtcm1UW0a0LY%2bQLJscOQImQOlNpJ%2bxFs3szGU5w1rFbjQPwp6\x00 [10609] 1490339971.189156: Storing admin at XS.IPA.COOL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR ``` ... some time later, in a different execution of ipa user-show ... ```text ipa: DEBUG: New HTTP connection (nyx.xs.ipa.cool) ipa: DEBUG: HTTP connection destroyed (nyx.xs.ipa.cool) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 676, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 628, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 585, in _handle_exception raise errors.CCacheError() CCacheError: did not receive Kerberos credentials ipa: DEBUG: Destroyed connection context.rpcclient_140537682029648 ipa: ERROR: did not receive Kerberos credentials [root at nyx ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR Default principal: admin at XS.IPA.COOL Valid starting Expires Service principal klist: No credentials cache found while retrieving a ticket ``` .... some time afterwards, without running kinit .... ```text [root at nyx ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR Default principal: admin at XS.IPA.COOL Valid starting Expires Service principal 03/24/2017 08:07:02 03/25/2017 08:06:56 krbtgt/XS.IPA.COOL at XS.IPA.COOL ``` .... and running ipa user-show now succeeds in retrieving old cookie, invalidating it, negotiating a new one, and storing it .... ```text [10747] 1490340689.131026: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for admin at XS.IPA.COOL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=J9aCtYUAsRFpJJhrMu4x4E2gwA2ojJOPdYT7iN7GtTyec7%2fj9lW1LyzgpLhjawaCa9MsK%2btOPDF6mKTsCSJqey3vhgY35ezg8Cwzbln6yGr0kPfDCWoxSQGYWx%2fSSIRVltu8akoXu1NvzP1%2bF0NEFrdzGi2%2bZDZXRFvUC5UpLg%2b3JMg5ZNExYlr%2bLHHQpAJh\x00 [10747] 1490340689.131071: Storing admin at XS.IPA.COOL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288954010 From freeipa-github-notification at redhat.com Fri Mar 24 07:48:04 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Fri, 24 Mar 2017 08:48:04 +0100 Subject: [Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-575.patch Type: text/x-diff Size: 27089 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 07:57:48 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 24 Mar 2017 08:57:48 +0100 Subject: [Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users abbra commented: """ LGTM and works just fine: ![](https://vda.li/images/freeipa-web-ui-login-ad-user.png) """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-288956595 From freeipa-github-notification at redhat.com Fri Mar 24 08:27:22 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 09:27:22 +0100 Subject: [Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users pvoborni commented: """ The code changes looks good to me. ACK given that it works fine (@abbra 's comment). """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-288961590 From freeipa-github-notification at redhat.com Fri Mar 24 08:27:34 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 09:27:34 +0100 Subject: [Freeipa-devel] [freeipa PR#639][+ack] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users Label: +ack From freeipa-github-notification at redhat.com Fri Mar 24 08:38:54 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 24 Mar 2017 09:38:54 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ @simo5, I think I found why it happened -- I actually had krbMaxTicketLife set for HTTP/... principal to 300 seconds. So I think your patches are good. I'd like you to fix fourth patch according to inline comments I left but that's it. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288963636 From mbabinsk at redhat.com Fri Mar 24 08:43:41 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Mar 2017 09:43:41 +0100 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170323144620.5gurhtdx2dkv57cy@redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> <1490279817.5861.25.camel@redhat.com> <20170323144620.5gurhtdx2dkv57cy@redhat.com> Message-ID: <20170324084340.GC3928@dhcp129-180.brq.redhat.com> On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote: >On to, 23 maalis 2017, Simo Sorce wrote: >> On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: >> > On to, 23 maalis 2017, Martin Babinsky wrote: >> > >Hi List, >> > > >> > >TL;DR we have to handle FAST channer establishment when KDC is not issued >> > >PKINIT keypair >> > > >> > >I have spent some time studying and fixing bugs/regressions caused by >> > >incomplete consideration of PKINIT and anonymous principal setup regarding to >> > > >> > >* replicas standed up against old (3.0.0) masters >> > >* domain level 0 topologies >> > >* CA-less deployments >> > > >> > >I want to discuss the impact of these findings on existing functionality and >> > >how to fix them so that 4.5.1 release will be more usable and free of subtle >> > >but serious bugs (more on this later). >> > > >> > >From conversation from Alexander and Simo it follows that anonymous PKINIT >> > >feature is supposed to be used in domain level 1 deployments because only these >> > >guarantee the presence of the features (CA ACLs and custom certificate >> > >profiles) which allow for issuing certificates suitable for PKINIT >> > >authentication. This leads to the following considerations: >> > > >> > >* on DL0 enforce no_pkinit on server/replica deployments >> > >* during upgrade of DL0 deployments, do not issue PKINIT certificates >> > >* during upgrade of DL1 deployments issue PKINIT certs >> > >* extend ipa-server-certinstall to install/issue PKINIT certificates after >> > > DL0/DL1 ugrade (have to be manually). >> > > >> > >However, I found out that the only case when anonymous PKINIT actually works is >> > >for fresh DL1 server install and upgrade and install of 4.5.0 replica against >> > >4.5.0 master in DL1. The following use-cases either fail to install or leave >> > >the system with unusable password auth (e.g. WebUI login): >> > > >> > >* setting up 4.5 replica against <4.5 master fails during anonymous >> > > principal setup[1] (ticket states domain level 0, but DL1 is also >> > > affected) >> > >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) >> > > leaves the installation without non-working WebUI as anonymous PKINIT does >> > > not work (ticket incoming) >> > >* If we restrict DL0 installs to force no_pkinit[2] we will be left with >> > > whole topologies where anonymous PKINIT does not work, so no WebUI auth >> > > for them >> > > >> > >We now have to decide how to properly support or avoid non-PKINIT deployments. >> > >The current code which handles armoring of password auth requests[3] does not >> > >actually work without PKINIT certificates, the fallback mechanism still fails >> > >to obtain armor ccache[4]. >> > > >> > >I have concluded that for non-PKINIT cases we have >> > >to use the old way to armor TGT request (i.e. establish fast channel by >> > >kinit as service principal), but this means that the framewrok has to use a >> > >service principal whose keytab it can read and use. After privilege separation, >> > >however, we do not have direct access to HTTP keytab so how should we proceed >> > >in this case? We definitely need to discuss this further. >> > > >> > >Please state your suggestions and comments, and sorry for the long mail. >> > Thanks, Martin, for the thorough analysis. >> > >> > I need to clarify *why* we need working Anonymous PKINIT. There are two >> > separate needs here: >> > >> > - Enable clients with no access to a separate key to be usable for 2FA >> > accounts. This can be best explained as to support Kerberos auth from >> > non-enrolled machines or machines where no SSSD is in use. In such >> > cases we cannot use another credentials to create FAST channel and >> > pass 2FA creds with kinit. >> > >> > - Enable IPA framework to perform password-based login for 2FA. With >> > privilege separation we don't have access to HTTP/... principal's >> > keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy >> > support FAST channel wrapping for explicitly specified password+2FA >> > token. >> > >> > For DL0 we do not officially support PKINIT, so first case is not >> > relevant. However, second case is what we need even on DL0 because >> > otherwise IPA framework does not work, as you have witnessed. >> > >> > We thought that we could solve this problem by re-using anonymous >> > principal as 'normal' principal -- by fetching its keytab and >> > authenticating with the keys from it. But for anonymous principal MIT >> > Kerberos library does verification of the session key and requires it to >> > be provided with PKINIT PA DATA when there is no wrapping principal >> > keys. >> > >> > See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 >> > >> > ---- >> > The Kerberos client can use the client's long-term keys, the client's >> > X.509 certificates [RFC4556], or any other pre-authentication data, >> > to authenticate to the KDC and requests an anonymous ticket in an AS >> > exchange where the client's identity is known to the KDC. >> > >> > If the client in the AS request is anonymous, the anonymous KDC >> > option MUST be set in the request. Otherwise, the KDC MUST return a >> > KRB-ERROR message with the code KDC_ERR_BADOPTION. >> > ---- >> > >> > Corresponding code in MIT Kerberos is this: >> > https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 >> > >> > So, using keytab for anonymous principal does not work. We either can >> > have another principal to perform wrapping or actually fix PKINIT for >> > DL0 for the purpose of IPA framework. >> > >> > The latter is easy to achieve. Certmonger maintains two local CAs: >> > SelfSign and 'local': >> > >> > # getcert list-cas >> > [....] >> > CA 'SelfSign': >> > is-default: no >> > ca-type: INTERNAL:SELF >> > next-serial-number: 01 >> > CA 'local': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/local-submit >> > >> > The first one self-signs whatever request you provide, the second one >> > signs it with a locally generated CA which is unique to each host. The >> > latter one doesn't perform any checks and simply signs the request. >> > >> > Obviously, relying on certmonger's local CA to provide PKINIT to other >> > IPA clients does not scale. But we already estblished we wouldn't do >> > that. In IPA framework which runs on the very same host as KDC, we can >> > have access to the same public key KDC would be using for itself and can >> > kinit with it as an anchor: >> > >> > kinit -X x509_anchor=/path/to/local-ca.crt -n >> > >> > This approach allows us to avoid any modification to /etc/krb5.conf on >> > IPA master. An IPA framework would only need to have access to the >> > public key of local CA. And local CA is something certmonger provides >> > since its first run. >> > >> > Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In >> > practice this will mean we have to: >> > >> > - replace local CA-issued KDC certificate if we were upgraded to become >> > IPA-managed CA >> > >> > - replace local CA-issued KDC certificate with externally provided KDC >> > certificate if we were upgraded and provided with explicit certificates >> > >> > This is certainly doable and primary benefit is that we wouldn't need to >> > have any fallbacks anymore. We would always use Anonymous PKINIT within >> > the IPA framework and be done with it. >> >> Just to recap the reason to support PKINIT locally is for supporting 2FA >> in the WebUI which is a hard requirement. >Correct. > >> Using the local CA will make this work for local logins ONLY and this is >> OK. >> The kinit command should really be called with this option: >> x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work >> regardless of what CA cert is there (the local one or the real CA one). >The option is -X x509_anchor=... > >> The only issue will be handling SELinux issues, if those are a problem >> we can also simply copy the local-ca.crt >> in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. >I think we can do that in pre-start hook in httpd.service.d/ipa.conf > >> We would need to make sure we copy there the correct CA cert for the job >> (certmonger's local-ca crt if no pkinit is enabled or whatever CA cert >> we are given if pkinit is enabled). >> > >-- >/ Alexander Bokovoy Ok so let's forget for a moment about the clients and focus on framework and PKINIT. We then have two options how to handle FAST wrapping: 1.) use a custom principal for FAST channel, e.g. ipaapi/`hostname` This is analogous to how were things done before privilege separation/PKINIT work. A plus is that you configure it once and it works regardless of whether PKINIT is configured properly or not. A minus is that when PKINIT is configured you are still using one special mechanism for FAST/2FA for the webui while the rest of clients are happily using anonymous principal. Another minus is that we introduce another n principals (where N is number of masters) which will (at least initially) be used only for FAST channel generation and nothing else. 2.) use anonymous principal for FAST channel. The advantage is that when PKINIT is configured properly (DL1), we use the same mechanism for FAST/2FA in the whole topology regardless of the use case (although as we already discussed we will still have to pass custom anchor location during password auth in the framework). A disadvantage is that in no-PKINIT case we would have to use certmonger's local CA to issue PKINIT cert, fetch the local CA cert and store it somewhere in (e.g. in /var/kerberos/kdc/cacert.pem). On DL-bump or if someone wishes to enable PKINIT we have to re-issue the certs by IPA and replace the CA cert by IPA-issued one (this can be made part of ipa-server-certinstall). I feel I can not really decide which approach is better. The first one is consistent with regard to PKINIT status and domain level but inconsistent with the client vs. server FAST channel generation mech. The second one uses common mechanism everywhere, but in no-PKINIT case we must 'fake' the anonymous PKINIT by specially issued certificates which feels a bit hacky to me. -- Martin Babinsky From freeipa-github-notification at redhat.com Fri Mar 24 08:48:18 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 09:48:18 +0100 Subject: [Freeipa-devel] [freeipa PR#470][+ack] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed Label: +ack From freeipa-github-notification at redhat.com Fri Mar 24 08:48:23 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 09:48:23 +0100 Subject: [Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvoborni commented: """ Code looks good and works fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-288965483 From abokovoy at redhat.com Fri Mar 24 08:53:49 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Mar 2017 10:53:49 +0200 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170324084340.GC3928@dhcp129-180.brq.redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> <1490279817.5861.25.camel@redhat.com> <20170323144620.5gurhtdx2dkv57cy@redhat.com> <20170324084340.GC3928@dhcp129-180.brq.redhat.com> Message-ID: <20170324085349.7vtyvwke4ztw5gub@redhat.com> On pe, 24 maalis 2017, Martin Babinsky wrote: >On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote: >>On to, 23 maalis 2017, Simo Sorce wrote: >>> On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: >>> > On to, 23 maalis 2017, Martin Babinsky wrote: >>> > >Hi List, >>> > > >>> > >TL;DR we have to handle FAST channer establishment when KDC is not issued >>> > >PKINIT keypair >>> > > >>> > >I have spent some time studying and fixing bugs/regressions caused by >>> > >incomplete consideration of PKINIT and anonymous principal setup regarding to >>> > > >>> > >* replicas standed up against old (3.0.0) masters >>> > >* domain level 0 topologies >>> > >* CA-less deployments >>> > > >>> > >I want to discuss the impact of these findings on existing functionality and >>> > >how to fix them so that 4.5.1 release will be more usable and free of subtle >>> > >but serious bugs (more on this later). >>> > > >>> > >From conversation from Alexander and Simo it follows that anonymous PKINIT >>> > >feature is supposed to be used in domain level 1 deployments because only these >>> > >guarantee the presence of the features (CA ACLs and custom certificate >>> > >profiles) which allow for issuing certificates suitable for PKINIT >>> > >authentication. This leads to the following considerations: >>> > > >>> > >* on DL0 enforce no_pkinit on server/replica deployments >>> > >* during upgrade of DL0 deployments, do not issue PKINIT certificates >>> > >* during upgrade of DL1 deployments issue PKINIT certs >>> > >* extend ipa-server-certinstall to install/issue PKINIT certificates after >>> > > DL0/DL1 ugrade (have to be manually). >>> > > >>> > >However, I found out that the only case when anonymous PKINIT actually works is >>> > >for fresh DL1 server install and upgrade and install of 4.5.0 replica against >>> > >4.5.0 master in DL1. The following use-cases either fail to install or leave >>> > >the system with unusable password auth (e.g. WebUI login): >>> > > >>> > >* setting up 4.5 replica against <4.5 master fails during anonymous >>> > > principal setup[1] (ticket states domain level 0, but DL1 is also >>> > > affected) >>> > >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) >>> > > leaves the installation without non-working WebUI as anonymous PKINIT does >>> > > not work (ticket incoming) >>> > >* If we restrict DL0 installs to force no_pkinit[2] we will be left with >>> > > whole topologies where anonymous PKINIT does not work, so no WebUI auth >>> > > for them >>> > > >>> > >We now have to decide how to properly support or avoid non-PKINIT deployments. >>> > >The current code which handles armoring of password auth requests[3] does not >>> > >actually work without PKINIT certificates, the fallback mechanism still fails >>> > >to obtain armor ccache[4]. >>> > > >>> > >I have concluded that for non-PKINIT cases we have >>> > >to use the old way to armor TGT request (i.e. establish fast channel by >>> > >kinit as service principal), but this means that the framewrok has to use a >>> > >service principal whose keytab it can read and use. After privilege separation, >>> > >however, we do not have direct access to HTTP keytab so how should we proceed >>> > >in this case? We definitely need to discuss this further. >>> > > >>> > >Please state your suggestions and comments, and sorry for the long mail. >>> > Thanks, Martin, for the thorough analysis. >>> > >>> > I need to clarify *why* we need working Anonymous PKINIT. There are two >>> > separate needs here: >>> > >>> > - Enable clients with no access to a separate key to be usable for 2FA >>> > accounts. This can be best explained as to support Kerberos auth from >>> > non-enrolled machines or machines where no SSSD is in use. In such >>> > cases we cannot use another credentials to create FAST channel and >>> > pass 2FA creds with kinit. >>> > >>> > - Enable IPA framework to perform password-based login for 2FA. With >>> > privilege separation we don't have access to HTTP/... principal's >>> > keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy >>> > support FAST channel wrapping for explicitly specified password+2FA >>> > token. >>> > >>> > For DL0 we do not officially support PKINIT, so first case is not >>> > relevant. However, second case is what we need even on DL0 because >>> > otherwise IPA framework does not work, as you have witnessed. >>> > >>> > We thought that we could solve this problem by re-using anonymous >>> > principal as 'normal' principal -- by fetching its keytab and >>> > authenticating with the keys from it. But for anonymous principal MIT >>> > Kerberos library does verification of the session key and requires it to >>> > be provided with PKINIT PA DATA when there is no wrapping principal >>> > keys. >>> > >>> > See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 >>> > >>> > ---- >>> > The Kerberos client can use the client's long-term keys, the client's >>> > X.509 certificates [RFC4556], or any other pre-authentication data, >>> > to authenticate to the KDC and requests an anonymous ticket in an AS >>> > exchange where the client's identity is known to the KDC. >>> > >>> > If the client in the AS request is anonymous, the anonymous KDC >>> > option MUST be set in the request. Otherwise, the KDC MUST return a >>> > KRB-ERROR message with the code KDC_ERR_BADOPTION. >>> > ---- >>> > >>> > Corresponding code in MIT Kerberos is this: >>> > https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 >>> > >>> > So, using keytab for anonymous principal does not work. We either can >>> > have another principal to perform wrapping or actually fix PKINIT for >>> > DL0 for the purpose of IPA framework. >>> > >>> > The latter is easy to achieve. Certmonger maintains two local CAs: >>> > SelfSign and 'local': >>> > >>> > # getcert list-cas >>> > [....] >>> > CA 'SelfSign': >>> > is-default: no >>> > ca-type: INTERNAL:SELF >>> > next-serial-number: 01 >>> > CA 'local': >>> > is-default: no >>> > ca-type: EXTERNAL >>> > helper-location: /usr/libexec/certmonger/local-submit >>> > >>> > The first one self-signs whatever request you provide, the second one >>> > signs it with a locally generated CA which is unique to each host. The >>> > latter one doesn't perform any checks and simply signs the request. >>> > >>> > Obviously, relying on certmonger's local CA to provide PKINIT to other >>> > IPA clients does not scale. But we already estblished we wouldn't do >>> > that. In IPA framework which runs on the very same host as KDC, we can >>> > have access to the same public key KDC would be using for itself and can >>> > kinit with it as an anchor: >>> > >>> > kinit -X x509_anchor=/path/to/local-ca.crt -n >>> > >>> > This approach allows us to avoid any modification to /etc/krb5.conf on >>> > IPA master. An IPA framework would only need to have access to the >>> > public key of local CA. And local CA is something certmonger provides >>> > since its first run. >>> > >>> > Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In >>> > practice this will mean we have to: >>> > >>> > - replace local CA-issued KDC certificate if we were upgraded to become >>> > IPA-managed CA >>> > >>> > - replace local CA-issued KDC certificate with externally provided KDC >>> > certificate if we were upgraded and provided with explicit certificates >>> > >>> > This is certainly doable and primary benefit is that we wouldn't need to >>> > have any fallbacks anymore. We would always use Anonymous PKINIT within >>> > the IPA framework and be done with it. >>> >>> Just to recap the reason to support PKINIT locally is for supporting 2FA >>> in the WebUI which is a hard requirement. >>Correct. >> >>> Using the local CA will make this work for local logins ONLY and this is >>> OK. >>> The kinit command should really be called with this option: >>> x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work >>> regardless of what CA cert is there (the local one or the real CA one). >>The option is -X x509_anchor=... >> >>> The only issue will be handling SELinux issues, if those are a problem >>> we can also simply copy the local-ca.crt >>> in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. >>I think we can do that in pre-start hook in httpd.service.d/ipa.conf >> >>> We would need to make sure we copy there the correct CA cert for the job >>> (certmonger's local-ca crt if no pkinit is enabled or whatever CA cert >>> we are given if pkinit is enabled). >>> >> >>-- >>/ Alexander Bokovoy > >Ok so let's forget for a moment about the clients and focus on framework and >PKINIT. We then have two options how to handle FAST wrapping: > > 1.) use a custom principal for FAST channel, e.g. ipaapi/`hostname` > This is analogous to how were things done before privilege > separation/PKINIT work. A plus is that you configure it once and it > works regardless of whether PKINIT is configured properly or not. A > minus is that when PKINIT is configured you are still using > one special mechanism for FAST/2FA for the webui while the rest of > clients are happily using anonymous principal. Another minus is that we > introduce another n principals (where N is number of masters) which > will (at least initially) be used only for FAST channel generation and > nothing else. > > 2.) use anonymous principal for FAST channel. The advantage is that when > PKINIT is configured properly (DL1), we use the same mechanism for > FAST/2FA in the whole topology regardless of the use case (although as > we already discussed we will still have to pass custom anchor location > during password auth in the framework). A disadvantage is that in > no-PKINIT case we would have to use certmonger's local CA to issue > PKINIT cert, fetch the local CA cert and store it somewhere in (e.g. in > /var/kerberos/kdc/cacert.pem). On DL-bump or if someone wishes to > enable PKINIT we have to re-issue the certs by IPA and replace the CA > cert by IPA-issued one (this can be made part of > ipa-server-certinstall). > >I feel I can not really decide which approach is better. The first one is >consistent with regard to PKINIT status and domain level but inconsistent with >the client vs. server FAST channel generation mech. The second one uses common >mechanism everywhere, but in no-PKINIT case we must 'fake' the anonymous PKINIT >by specially issued certificates which feels a bit hacky to me. Both Simo and me are for (2). Note that we are not faking anything in the case of DL0. It is real PKINIT with limited functionality only. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Mar 24 08:59:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 09:59:33 +0100 Subject: [Freeipa-devel] [freeipa PR#650][opened] CA-less installation fix Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: opened PR body: """ These patches fix the CA-less installation by guessing the names for CA and server-cert nicknames in /etc/httpd/alias. The fix is not very nice since it's guessing but I am not sure if there's anything else we can do at this point. Also, `HTTPInstance.start/stop_tracking_certificates` would probably not need the guessing since it's only relevant for CA-full installations where we know the server-cert nickname is `Server-Cert` so I can replace it there if you think that'd be better. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-650.patch Type: text/x-diff Size: 5743 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 09:16:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Mar 2017 10:16:33 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tiran commented: """ @simo5 I left some comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288971205 From freeipa-github-notification at redhat.com Fri Mar 24 09:43:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 24 Mar 2017 10:43:30 +0100 Subject: [Freeipa-devel] [freeipa PR#651][opened] WebUI: Fix showing vault in selfservice view Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Author: pvomacka Title: #651: WebUI: Fix showing vault in selfservice view Action: opened PR body: """ Vaults menu item was shown even when the KRA service was not installed. That was caused by different path to the menu item in admin's view and in selfservice view. The path is now set correctly for both situations. 'network_service/vault' for admin's view and 'vault' for selfservice view. https://pagure.io/freeipa/issue/6812 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/651/head:pr651 git checkout pr651 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-651.patch Type: text/x-diff Size: 1789 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 09:51:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Mar 2017 10:51:44 +0100 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 13811 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 10:16:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Mar 2017 11:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 15075 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 10:50:48 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 11:50:48 +0100 Subject: [Freeipa-devel] [freeipa PR#651][comment] WebUI: Fix showing vault in selfservice view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view pvoborni commented: """ Works fine. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/651#issuecomment-288990983 From freeipa-github-notification at redhat.com Fri Mar 24 10:50:57 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Mar 2017 11:50:57 +0100 Subject: [Freeipa-devel] [freeipa PR#651][+ack] WebUI: Fix showing vault in selfservice view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view Label: +ack From mbabinsk at redhat.com Fri Mar 24 10:52:01 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Mar 2017 11:52:01 +0100 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170324085349.7vtyvwke4ztw5gub@redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> <1490279817.5861.25.camel@redhat.com> <20170323144620.5gurhtdx2dkv57cy@redhat.com> <20170324084340.GC3928@dhcp129-180.brq.redhat.com> <20170324085349.7vtyvwke4ztw5gub@redhat.com> Message-ID: <20170324105159.GD3928@dhcp129-180.brq.redhat.com> On Fri, Mar 24, 2017 at 10:53:49AM +0200, Alexander Bokovoy wrote: >On pe, 24 maalis 2017, Martin Babinsky wrote: >> On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote: >> > On to, 23 maalis 2017, Simo Sorce wrote: >> > > On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: >> > > > On to, 23 maalis 2017, Martin Babinsky wrote: >> > > > >Hi List, >> > > > > >> > > > >TL;DR we have to handle FAST channer establishment when KDC is not issued >> > > > >PKINIT keypair >> > > > > >> > > > >I have spent some time studying and fixing bugs/regressions caused by >> > > > >incomplete consideration of PKINIT and anonymous principal setup regarding to >> > > > > >> > > > >* replicas standed up against old (3.0.0) masters >> > > > >* domain level 0 topologies >> > > > >* CA-less deployments >> > > > > >> > > > >I want to discuss the impact of these findings on existing functionality and >> > > > >how to fix them so that 4.5.1 release will be more usable and free of subtle >> > > > >but serious bugs (more on this later). >> > > > > >> > > > >From conversation from Alexander and Simo it follows that anonymous PKINIT >> > > > >feature is supposed to be used in domain level 1 deployments because only these >> > > > >guarantee the presence of the features (CA ACLs and custom certificate >> > > > >profiles) which allow for issuing certificates suitable for PKINIT >> > > > >authentication. This leads to the following considerations: >> > > > > >> > > > >* on DL0 enforce no_pkinit on server/replica deployments >> > > > >* during upgrade of DL0 deployments, do not issue PKINIT certificates >> > > > >* during upgrade of DL1 deployments issue PKINIT certs >> > > > >* extend ipa-server-certinstall to install/issue PKINIT certificates after >> > > > > DL0/DL1 ugrade (have to be manually). >> > > > > >> > > > >However, I found out that the only case when anonymous PKINIT actually works is >> > > > >for fresh DL1 server install and upgrade and install of 4.5.0 replica against >> > > > >4.5.0 master in DL1. The following use-cases either fail to install or leave >> > > > >the system with unusable password auth (e.g. WebUI login): >> > > > > >> > > > >* setting up 4.5 replica against <4.5 master fails during anonymous >> > > > > principal setup[1] (ticket states domain level 0, but DL1 is also >> > > > > affected) >> > > > >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) >> > > > > leaves the installation without non-working WebUI as anonymous PKINIT does >> > > > > not work (ticket incoming) >> > > > >* If we restrict DL0 installs to force no_pkinit[2] we will be left with >> > > > > whole topologies where anonymous PKINIT does not work, so no WebUI auth >> > > > > for them >> > > > > >> > > > >We now have to decide how to properly support or avoid non-PKINIT deployments. >> > > > >The current code which handles armoring of password auth requests[3] does not >> > > > >actually work without PKINIT certificates, the fallback mechanism still fails >> > > > >to obtain armor ccache[4]. >> > > > > >> > > > >I have concluded that for non-PKINIT cases we have >> > > > >to use the old way to armor TGT request (i.e. establish fast channel by >> > > > >kinit as service principal), but this means that the framewrok has to use a >> > > > >service principal whose keytab it can read and use. After privilege separation, >> > > > >however, we do not have direct access to HTTP keytab so how should we proceed >> > > > >in this case? We definitely need to discuss this further. >> > > > > >> > > > >Please state your suggestions and comments, and sorry for the long mail. >> > > > Thanks, Martin, for the thorough analysis. >> > > > >> > > > I need to clarify *why* we need working Anonymous PKINIT. There are two >> > > > separate needs here: >> > > > >> > > > - Enable clients with no access to a separate key to be usable for 2FA >> > > > accounts. This can be best explained as to support Kerberos auth from >> > > > non-enrolled machines or machines where no SSSD is in use. In such >> > > > cases we cannot use another credentials to create FAST channel and >> > > > pass 2FA creds with kinit. >> > > > >> > > > - Enable IPA framework to perform password-based login for 2FA. With >> > > > privilege separation we don't have access to HTTP/... principal's >> > > > keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy >> > > > support FAST channel wrapping for explicitly specified password+2FA >> > > > token. >> > > > >> > > > For DL0 we do not officially support PKINIT, so first case is not >> > > > relevant. However, second case is what we need even on DL0 because >> > > > otherwise IPA framework does not work, as you have witnessed. >> > > > >> > > > We thought that we could solve this problem by re-using anonymous >> > > > principal as 'normal' principal -- by fetching its keytab and >> > > > authenticating with the keys from it. But for anonymous principal MIT >> > > > Kerberos library does verification of the session key and requires it to >> > > > be provided with PKINIT PA DATA when there is no wrapping principal >> > > > keys. >> > > > >> > > > See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 >> > > > >> > > > ---- >> > > > The Kerberos client can use the client's long-term keys, the client's >> > > > X.509 certificates [RFC4556], or any other pre-authentication data, >> > > > to authenticate to the KDC and requests an anonymous ticket in an AS >> > > > exchange where the client's identity is known to the KDC. >> > > > >> > > > If the client in the AS request is anonymous, the anonymous KDC >> > > > option MUST be set in the request. Otherwise, the KDC MUST return a >> > > > KRB-ERROR message with the code KDC_ERR_BADOPTION. >> > > > ---- >> > > > >> > > > Corresponding code in MIT Kerberos is this: >> > > > https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 >> > > > >> > > > So, using keytab for anonymous principal does not work. We either can >> > > > have another principal to perform wrapping or actually fix PKINIT for >> > > > DL0 for the purpose of IPA framework. >> > > > >> > > > The latter is easy to achieve. Certmonger maintains two local CAs: >> > > > SelfSign and 'local': >> > > > >> > > > # getcert list-cas >> > > > [....] >> > > > CA 'SelfSign': >> > > > is-default: no >> > > > ca-type: INTERNAL:SELF >> > > > next-serial-number: 01 >> > > > CA 'local': >> > > > is-default: no >> > > > ca-type: EXTERNAL >> > > > helper-location: /usr/libexec/certmonger/local-submit >> > > > >> > > > The first one self-signs whatever request you provide, the second one >> > > > signs it with a locally generated CA which is unique to each host. The >> > > > latter one doesn't perform any checks and simply signs the request. >> > > > >> > > > Obviously, relying on certmonger's local CA to provide PKINIT to other >> > > > IPA clients does not scale. But we already estblished we wouldn't do >> > > > that. In IPA framework which runs on the very same host as KDC, we can >> > > > have access to the same public key KDC would be using for itself and can >> > > > kinit with it as an anchor: >> > > > >> > > > kinit -X x509_anchor=/path/to/local-ca.crt -n >> > > > >> > > > This approach allows us to avoid any modification to /etc/krb5.conf on >> > > > IPA master. An IPA framework would only need to have access to the >> > > > public key of local CA. And local CA is something certmonger provides >> > > > since its first run. >> > > > >> > > > Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In >> > > > practice this will mean we have to: >> > > > >> > > > - replace local CA-issued KDC certificate if we were upgraded to become >> > > > IPA-managed CA >> > > > >> > > > - replace local CA-issued KDC certificate with externally provided KDC >> > > > certificate if we were upgraded and provided with explicit certificates >> > > > >> > > > This is certainly doable and primary benefit is that we wouldn't need to >> > > > have any fallbacks anymore. We would always use Anonymous PKINIT within >> > > > the IPA framework and be done with it. >> > > >> > > Just to recap the reason to support PKINIT locally is for supporting 2FA >> > > in the WebUI which is a hard requirement. >> > Correct. >> > >> > > Using the local CA will make this work for local logins ONLY and this is >> > > OK. >> > > The kinit command should really be called with this option: >> > > x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work >> > > regardless of what CA cert is there (the local one or the real CA one). >> > The option is -X x509_anchor=... >> > >> > > The only issue will be handling SELinux issues, if those are a problem >> > > we can also simply copy the local-ca.crt >> > > in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. >> > I think we can do that in pre-start hook in httpd.service.d/ipa.conf >> > >> > > We would need to make sure we copy there the correct CA cert for the job >> > > (certmonger's local-ca crt if no pkinit is enabled or whatever CA cert >> > > we are given if pkinit is enabled). >> > > >> > >> > -- >> > / Alexander Bokovoy >> >> Ok so let's forget for a moment about the clients and focus on framework and >> PKINIT. We then have two options how to handle FAST wrapping: >> >> 1.) use a custom principal for FAST channel, e.g. ipaapi/`hostname` >> This is analogous to how were things done before privilege >> separation/PKINIT work. A plus is that you configure it once and it >> works regardless of whether PKINIT is configured properly or not. A >> minus is that when PKINIT is configured you are still using >> one special mechanism for FAST/2FA for the webui while the rest of >> clients are happily using anonymous principal. Another minus is that we >> introduce another n principals (where N is number of masters) which >> will (at least initially) be used only for FAST channel generation and >> nothing else. >> >> 2.) use anonymous principal for FAST channel. The advantage is that when >> PKINIT is configured properly (DL1), we use the same mechanism for >> FAST/2FA in the whole topology regardless of the use case (although as >> we already discussed we will still have to pass custom anchor location >> during password auth in the framework). A disadvantage is that in >> no-PKINIT case we would have to use certmonger's local CA to issue >> PKINIT cert, fetch the local CA cert and store it somewhere in (e.g. in >> /var/kerberos/kdc/cacert.pem). On DL-bump or if someone wishes to >> enable PKINIT we have to re-issue the certs by IPA and replace the CA >> cert by IPA-issued one (this can be made part of >> ipa-server-certinstall). >> >> I feel I can not really decide which approach is better. The first one is >> consistent with regard to PKINIT status and domain level but inconsistent with >> the client vs. server FAST channel generation mech. The second one uses common >> mechanism everywhere, but in no-PKINIT case we must 'fake' the anonymous PKINIT >> by specially issued certificates which feels a bit hacky to me. >Both Simo and me are for (2). > >Note that we are not faking anything in the case of DL0. It is real >PKINIT with limited functionality only. >-- >/ Alexander Bokovoy Right, since I myself am ambivalent on the issue I will update your PKINIT design page (or you can update it) on Monday and implement the agreed procedure for DL0/no-PKINIT handling next week. I have some code ready for the fixes in upgrade/replication so Iihave already tampered with the affected codebase. If somebody disagrees with the proposed solution he has today and Monday to voice his concerns. -- Martin Babinsky From freeipa-github-notification at redhat.com Fri Mar 24 10:53:41 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 24 Mar 2017 11:53:41 +0100 Subject: [Freeipa-devel] [freeipa PR#652][opened] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Message-ID: URL: https://github.com/freeipa/freeipa/pull/652 Author: flo-renaud Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Action: opened PR body: """ dogtag-ipa-ca-renew-agent-submit behaves differently depending on the certificate it needs to renew. For instance, some certificates (such as IPA RA) are the same on all the hosts and the renewal is actually done only on the renewal master. On other nodes, the new cert is downloaded from LDAP. The function is_replicated() is returning the opposite as what it should. If the cert nickname is IPA RA, it should return that the cert is replicated but it doesn't, and this leads to a wrong code path to renew the cert. https://pagure.io/freeipa/issue/6813 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/652/head:pr652 git checkout pr652 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-652.patch Type: text/x-diff Size: 1333 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 11:11:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 12:11:25 +0100 Subject: [Freeipa-devel] [freeipa PR#650][synchronized] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-650.patch Type: text/x-diff Size: 2838 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 11:13:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 12:13:07 +0100 Subject: [Freeipa-devel] [freeipa PR#650][synchronized] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-650.patch Type: text/x-diff Size: 2552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 11:33:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 12:33:54 +0100 Subject: [Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-640.patch Type: text/x-diff Size: 7305 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 12:10:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 13:10:24 +0100 Subject: [Freeipa-devel] [freeipa PR#641][comment] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default MartinBasti commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/641#issuecomment-289006230 From freeipa-github-notification at redhat.com Fri Mar 24 12:53:05 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 24 Mar 2017 13:53:05 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Thank you @tiran @abbra all very good comments, I'll address soon all of them """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289014748 From freeipa-github-notification at redhat.com Fri Mar 24 12:54:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 13:54:17 +0100 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix stlaz commented: """ Fixed according to the comments, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-289014989 From freeipa-github-notification at redhat.com Fri Mar 24 13:23:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 14:23:03 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules MartinBasti commented: """ I like the `allow_rename` attribute, as it really explains what is happaning, Also I like the reworked check if primary key is in DN because original `self.obj.primary_key.name in entry_attrs` may return false positive results. I'm afraid about one thing. This will basically break custom user plugins if they used `rdn_is_private_key`. Shall we do some backward compatibility magic? """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289021080 From freeipa-github-notification at redhat.com Fri Mar 24 13:28:53 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 24 Mar 2017 14:28:53 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules abbra commented: """ I haven't seen any custom plugin that used `rdn_is_private_key`. We can document the change in release notes. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289022375 From freeipa-github-notification at redhat.com Fri Mar 24 13:50:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 14:50:18 +0100 Subject: [Freeipa-devel] [freeipa PR#653][opened] Bump samba version for FIPS and priv. separation Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Author: stlaz Title: #653: Bump samba version for FIPS and priv. separation Action: opened PR body: """ With the latest Samba, adding trusts to AD under FIPS should now work as well as adding trusts as a whole after the privilege separation rework. https://pagure.io/freeipa/issue/6671 https://pagure.io/freeipa/issue/6697 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/653/head:pr653 git checkout pr653 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-653.patch Type: text/x-diff Size: 1164 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 13:50:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 14:50:36 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules MartinBasti commented: """ Please provide tests, LGTM otherwise """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289027561 From freeipa-github-notification at redhat.com Fri Mar 24 14:13:32 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 24 Mar 2017 15:13:32 +0100 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @abbra I believe these changes are in line with our recent discussion regarding pkinit availability on DL0. Do you agree? """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289033452 From freeipa-github-notification at redhat.com Fri Mar 24 14:24:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 15:24:28 +0100 Subject: [Freeipa-devel] [freeipa PR#653][comment] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation MartinBasti commented: """ Please put proper rpms to freeipa-master and rerun travis when builded """ See the full comment at https://github.com/freeipa/freeipa/pull/653#issuecomment-289036515 From freeipa-github-notification at redhat.com Fri Mar 24 14:24:53 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Mar 2017 15:24:53 +0100 Subject: [Freeipa-devel] [freeipa PR#654][opened] spec: update url and sources Message-ID: URL: https://github.com/freeipa/freeipa/pull/654 Author: tomaskrizek Title: #654: spec: update url and sources Action: opened PR body: """ Point Source to upstream sources on pagure and add signature file. Use https for project URL. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/654/head:pr654 git checkout pr654 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-654.patch Type: text/x-diff Size: 1033 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 14:31:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 15:31:22 +0100 Subject: [Freeipa-devel] [freeipa PR#617][synchronized] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-617.patch Type: text/x-diff Size: 17773 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 14:32:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 15:32:24 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ Added the tests but did not test them so we may want to see what Travis has to say about that. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289038857 From freeipa-github-notification at redhat.com Fri Mar 24 14:35:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Mar 2017 15:35:25 +0100 Subject: [Freeipa-devel] [freeipa PR#653][comment] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation stlaz commented: """ Unfortunately I can't do that. """ See the full comment at https://github.com/freeipa/freeipa/pull/653#issuecomment-289039691 From freeipa-github-notification at redhat.com Fri Mar 24 14:39:59 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 24 Mar 2017 15:39:59 +0100 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 abbra commented: """ Good question. I think we should remove all mentioning of PKINIT options for DL0 and explicitly configure local CA there. On DL1 we already require to provide pkinit cert for CA-less setup. However, there we should treat --no-pkinit as use of local CA (certmonger's one). """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289041029 From freeipa-github-notification at redhat.com Fri Mar 24 14:41:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 15:41:38 +0100 Subject: [Freeipa-devel] [freeipa PR#653][comment] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation MartinBasti commented: """ > Unfortunately I can't do that. ? I will do it for you """ See the full comment at https://github.com/freeipa/freeipa/pull/653#issuecomment-289041519 From freeipa-github-notification at redhat.com Fri Mar 24 14:45:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 15:45:47 +0100 Subject: [Freeipa-devel] [freeipa PR#654][comment] spec: update url and sources In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/654 Title: #654: spec: update url and sources MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/654#issuecomment-289042742 From freeipa-github-notification at redhat.com Fri Mar 24 15:23:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Mar 2017 16:23:57 +0100 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules MartinBasti commented: """ ``` ************* Module ipatests.test_xmlrpc.test_sudorule_plugin ipatests/test_xmlrpc/test_sudorule_plugin.py:786: [E0001(syntax-error), ] unindent does not match any outer indentation level) ``` And please split it into multiple commits as I requested """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289053965 From freeipa-github-notification at redhat.com Fri Mar 24 15:43:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 24 Mar 2017 16:43:01 +0100 Subject: [Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-649.patch Type: text/x-diff Size: 20531 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 24 15:44:40 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 24 Mar 2017 16:44:40 +0100 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I should have addressed all comments. I did not comment on krb5_principal_compare() because I think that is obvious and the function definition also does not define an errcheck argument for it so it should be clear enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289060068 From freeipa-github-notification at redhat.com Fri Mar 24 15:48:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Mar 2017 16:48:17 +0100 Subject: [Freeipa-devel] [freeipa PR#654][closed] spec: update url and sources In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/654 Author: tomaskrizek Title: #654: spec: update url and sources Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/654/head:pr654 git checkout pr654 From freeipa-github-notification at redhat.com Fri Mar 24 15:48:21 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Mar 2017 16:48:21 +0100 Subject: [Freeipa-devel] [freeipa PR#654][comment] spec: update url and sources In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/654 Title: #654: spec: update url and sources tomaskrizek commented: """ It looks like the build somehow depends on the specfile, because it fails with ``` error: Bad file: /home/sharp/git/freeipa/rpmbuild/SOURCES/freeipa-4.5.90.dev201703241540+gitcec2cfb.tar.gz.asc: No such file or directory ``` I guess we can omit this in upstream. Fedora spec files have been updated and their build works fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/654#issuecomment-289061104 From freeipa-github-notification at redhat.com Fri Mar 24 15:48:23 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Mar 2017 16:48:23 +0100 Subject: [Freeipa-devel] [freeipa PR#654][+rejected] spec: update url and sources In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/654 Title: #654: spec: update url and sources Label: +rejected From freeipa-github-notification at redhat.com Fri Mar 24 15:51:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 24 Mar 2017 16:51:01 +0100 Subject: [Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-649.patch Type: text/x-diff Size: 20502 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 24 16:10:18 2017 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 24 Mar 2017 12:10:18 -0400 Subject: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies In-Reply-To: <20170324105159.GD3928@dhcp129-180.brq.redhat.com> References: <20170323123323.GB4278@dhcp129-180.brq.redhat.com> <20170323140800.5fjdhztnkr576u2c@redhat.com> <1490279817.5861.25.camel@redhat.com> <20170323144620.5gurhtdx2dkv57cy@redhat.com> <20170324084340.GC3928@dhcp129-180.brq.redhat.com> <20170324085349.7vtyvwke4ztw5gub@redhat.com> <20170324105159.GD3928@dhcp129-180.brq.redhat.com> Message-ID: <1490371818.5861.63.camel@redhat.com> On Fri, 2017-03-24 at 11:52 +0100, Martin Babinsky wrote: > On Fri, Mar 24, 2017 at 10:53:49AM +0200, Alexander Bokovoy wrote: > >On pe, 24 maalis 2017, Martin Babinsky wrote: > >> On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote: > >> > On to, 23 maalis 2017, Simo Sorce wrote: > >> > > On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: > >> > > > On to, 23 maalis 2017, Martin Babinsky wrote: > >> > > > >Hi List, > >> > > > > > >> > > > >TL;DR we have to handle FAST channer establishment when KDC is not issued > >> > > > >PKINIT keypair > >> > > > > > >> > > > >I have spent some time studying and fixing bugs/regressions caused by > >> > > > >incomplete consideration of PKINIT and anonymous principal setup regarding to > >> > > > > > >> > > > >* replicas standed up against old (3.0.0) masters > >> > > > >* domain level 0 topologies > >> > > > >* CA-less deployments > >> > > > > > >> > > > >I want to discuss the impact of these findings on existing functionality and > >> > > > >how to fix them so that 4.5.1 release will be more usable and free of subtle > >> > > > >but serious bugs (more on this later). > >> > > > > > >> > > > >From conversation from Alexander and Simo it follows that anonymous PKINIT > >> > > > >feature is supposed to be used in domain level 1 deployments because only these > >> > > > >guarantee the presence of the features (CA ACLs and custom certificate > >> > > > >profiles) which allow for issuing certificates suitable for PKINIT > >> > > > >authentication. This leads to the following considerations: > >> > > > > > >> > > > >* on DL0 enforce no_pkinit on server/replica deployments > >> > > > >* during upgrade of DL0 deployments, do not issue PKINIT certificates > >> > > > >* during upgrade of DL1 deployments issue PKINIT certs > >> > > > >* extend ipa-server-certinstall to install/issue PKINIT certificates after > >> > > > > DL0/DL1 ugrade (have to be manually). > >> > > > > > >> > > > >However, I found out that the only case when anonymous PKINIT actually works is > >> > > > >for fresh DL1 server install and upgrade and install of 4.5.0 replica against > >> > > > >4.5.0 master in DL1. The following use-cases either fail to install or leave > >> > > > >the system with unusable password auth (e.g. WebUI login): > >> > > > > > >> > > > >* setting up 4.5 replica against <4.5 master fails during anonymous > >> > > > > principal setup[1] (ticket states domain level 0, but DL1 is also > >> > > > > affected) > >> > > > >* setting up server-replica with `no_pkinit` option (CA-full or CA-less) > >> > > > > leaves the installation without non-working WebUI as anonymous PKINIT does > >> > > > > not work (ticket incoming) > >> > > > >* If we restrict DL0 installs to force no_pkinit[2] we will be left with > >> > > > > whole topologies where anonymous PKINIT does not work, so no WebUI auth > >> > > > > for them > >> > > > > > >> > > > >We now have to decide how to properly support or avoid non-PKINIT deployments. > >> > > > >The current code which handles armoring of password auth requests[3] does not > >> > > > >actually work without PKINIT certificates, the fallback mechanism still fails > >> > > > >to obtain armor ccache[4]. > >> > > > > > >> > > > >I have concluded that for non-PKINIT cases we have > >> > > > >to use the old way to armor TGT request (i.e. establish fast channel by > >> > > > >kinit as service principal), but this means that the framewrok has to use a > >> > > > >service principal whose keytab it can read and use. After privilege separation, > >> > > > >however, we do not have direct access to HTTP keytab so how should we proceed > >> > > > >in this case? We definitely need to discuss this further. > >> > > > > > >> > > > >Please state your suggestions and comments, and sorry for the long mail. > >> > > > Thanks, Martin, for the thorough analysis. > >> > > > > >> > > > I need to clarify *why* we need working Anonymous PKINIT. There are two > >> > > > separate needs here: > >> > > > > >> > > > - Enable clients with no access to a separate key to be usable for 2FA > >> > > > accounts. This can be best explained as to support Kerberos auth from > >> > > > non-enrolled machines or machines where no SSSD is in use. In such > >> > > > cases we cannot use another credentials to create FAST channel and > >> > > > pass 2FA creds with kinit. > >> > > > > >> > > > - Enable IPA framework to perform password-based login for 2FA. With > >> > > > privilege separation we don't have access to HTTP/... principal's > >> > > > keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy > >> > > > support FAST channel wrapping for explicitly specified password+2FA > >> > > > token. > >> > > > > >> > > > For DL0 we do not officially support PKINIT, so first case is not > >> > > > relevant. However, second case is what we need even on DL0 because > >> > > > otherwise IPA framework does not work, as you have witnessed. > >> > > > > >> > > > We thought that we could solve this problem by re-using anonymous > >> > > > principal as 'normal' principal -- by fetching its keytab and > >> > > > authenticating with the keys from it. But for anonymous principal MIT > >> > > > Kerberos library does verification of the session key and requires it to > >> > > > be provided with PKINIT PA DATA when there is no wrapping principal > >> > > > keys. > >> > > > > >> > > > See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1 > >> > > > > >> > > > ---- > >> > > > The Kerberos client can use the client's long-term keys, the client's > >> > > > X.509 certificates [RFC4556], or any other pre-authentication data, > >> > > > to authenticate to the KDC and requests an anonymous ticket in an AS > >> > > > exchange where the client's identity is known to the KDC. > >> > > > > >> > > > If the client in the AS request is anonymous, the anonymous KDC > >> > > > option MUST be set in the request. Otherwise, the KDC MUST return a > >> > > > KRB-ERROR message with the code KDC_ERR_BADOPTION. > >> > > > ---- > >> > > > > >> > > > Corresponding code in MIT Kerberos is this: > >> > > > https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157 > >> > > > > >> > > > So, using keytab for anonymous principal does not work. We either can > >> > > > have another principal to perform wrapping or actually fix PKINIT for > >> > > > DL0 for the purpose of IPA framework. > >> > > > > >> > > > The latter is easy to achieve. Certmonger maintains two local CAs: > >> > > > SelfSign and 'local': > >> > > > > >> > > > # getcert list-cas > >> > > > [....] > >> > > > CA 'SelfSign': > >> > > > is-default: no > >> > > > ca-type: INTERNAL:SELF > >> > > > next-serial-number: 01 > >> > > > CA 'local': > >> > > > is-default: no > >> > > > ca-type: EXTERNAL > >> > > > helper-location: /usr/libexec/certmonger/local-submit > >> > > > > >> > > > The first one self-signs whatever request you provide, the second one > >> > > > signs it with a locally generated CA which is unique to each host. The > >> > > > latter one doesn't perform any checks and simply signs the request. > >> > > > > >> > > > Obviously, relying on certmonger's local CA to provide PKINIT to other > >> > > > IPA clients does not scale. But we already estblished we wouldn't do > >> > > > that. In IPA framework which runs on the very same host as KDC, we can > >> > > > have access to the same public key KDC would be using for itself and can > >> > > > kinit with it as an anchor: > >> > > > > >> > > > kinit -X x509_anchor=/path/to/local-ca.crt -n > >> > > > > >> > > > This approach allows us to avoid any modification to /etc/krb5.conf on > >> > > > IPA master. An IPA framework would only need to have access to the > >> > > > public key of local CA. And local CA is something certmonger provides > >> > > > since its first run. > >> > > > > >> > > > Yes, we'll need to manage upgrades from DL0 to DL1 for PKINIT. In > >> > > > practice this will mean we have to: > >> > > > > >> > > > - replace local CA-issued KDC certificate if we were upgraded to become > >> > > > IPA-managed CA > >> > > > > >> > > > - replace local CA-issued KDC certificate with externally provided KDC > >> > > > certificate if we were upgraded and provided with explicit certificates > >> > > > > >> > > > This is certainly doable and primary benefit is that we wouldn't need to > >> > > > have any fallbacks anymore. We would always use Anonymous PKINIT within > >> > > > the IPA framework and be done with it. > >> > > > >> > > Just to recap the reason to support PKINIT locally is for supporting 2FA > >> > > in the WebUI which is a hard requirement. > >> > Correct. > >> > > >> > > Using the local CA will make this work for local logins ONLY and this is > >> > > OK. > >> > > The kinit command should really be called with this option: > >> > > x509_anchor=/var/kerberos/krb5kdc/cacert.pem so it will always work > >> > > regardless of what CA cert is there (the local one or the real CA one). > >> > The option is -X x509_anchor=... > >> > > >> > > The only issue will be handling SELinux issues, if those are a problem > >> > > we can also simply copy the local-ca.crt > >> > > in /var/lib/ipa/api/pkinit-ca.crt and always call kinit with that file. > >> > I think we can do that in pre-start hook in httpd.service.d/ipa.conf > >> > > >> > > We would need to make sure we copy there the correct CA cert for the job > >> > > (certmonger's local-ca crt if no pkinit is enabled or whatever CA cert > >> > > we are given if pkinit is enabled). > >> > > > >> > > >> > -- > >> > / Alexander Bokovoy > >> > >> Ok so let's forget for a moment about the clients and focus on framework and > >> PKINIT. We then have two options how to handle FAST wrapping: > >> > >> 1.) use a custom principal for FAST channel, e.g. ipaapi/`hostname` > >> This is analogous to how were things done before privilege > >> separation/PKINIT work. A plus is that you configure it once and it > >> works regardless of whether PKINIT is configured properly or not. A > >> minus is that when PKINIT is configured you are still using > >> one special mechanism for FAST/2FA for the webui while the rest of > >> clients are happily using anonymous principal. Another minus is that we > >> introduce another n principals (where N is number of masters) which > >> will (at least initially) be used only for FAST channel generation and > >> nothing else. > >> > >> 2.) use anonymous principal for FAST channel. The advantage is that when > >> PKINIT is configured properly (DL1), we use the same mechanism for > >> FAST/2FA in the whole topology regardless of the use case (although as > >> we already discussed we will still have to pass custom anchor location > >> during password auth in the framework). A disadvantage is that in > >> no-PKINIT case we would have to use certmonger's local CA to issue > >> PKINIT cert, fetch the local CA cert and store it somewhere in (e.g. in > >> /var/kerberos/kdc/cacert.pem). On DL-bump or if someone wishes to > >> enable PKINIT we have to re-issue the certs by IPA and replace the CA > >> cert by IPA-issued one (this can be made part of > >> ipa-server-certinstall). > >> > >> I feel I can not really decide which approach is better. The first one is > >> consistent with regard to PKINIT status and domain level but inconsistent with > >> the client vs. server FAST channel generation mech. The second one uses common > >> mechanism everywhere, but in no-PKINIT case we must 'fake' the anonymous PKINIT > >> by specially issued certificates which feels a bit hacky to me. > >Both Simo and me are for (2). > > > >Note that we are not faking anything in the case of DL0. It is real > >PKINIT with limited functionality only. > >-- > >/ Alexander Bokovoy > > Right, since I myself am ambivalent on the issue I will update your PKINIT > design page (or you can update it) on Monday and implement the agreed procedure > for DL0/no-PKINIT handling next week. I have some code ready for the fixes in > upgrade/replication so Iihave already tampered with the affected codebase. > > If somebody disagrees with the proposed solution he has today and Monday to > voice his concerns. I think 2) is superior in that it reduces the number of mechanisms we need to use and allows us to remove completely the fallback to the anon keytab (which doesn't work) and reduces the number of secrets we need to store on the system, one less keytab (also compared to 1). So I am firmly for 2) Simo. From freeipa-github-notification at redhat.com Fri Mar 24 18:54:24 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Fri, 24 Mar 2017 19:54:24 +0100 Subject: [Freeipa-devel] [freeipa PR#644][synchronized] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-644.patch Type: text/x-diff Size: 10950 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 06:39:05 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 08:39:05 +0200 Subject: [Freeipa-devel] [freeipa PR#644][synchronized] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-644.patch Type: text/x-diff Size: 10256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 06:39:38 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 08:39:38 +0200 Subject: [Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-575.patch Type: text/x-diff Size: 26395 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 06:41:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 08:41:12 +0200 Subject: [Freeipa-devel] [freeipa PR#617][synchronized] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-617.patch Type: text/x-diff Size: 19379 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 06:41:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 08:41:39 +0200 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ *sigh* there was a rogue space. Split into three separate commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289366812 From freeipa-github-notification at redhat.com Mon Mar 27 06:41:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 08:41:54 +0200 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ *sigh* there was a rogue space. Split into three separate commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289366812 From freeipa-github-notification at redhat.com Mon Mar 27 06:48:55 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 08:48:55 +0200 Subject: [Freeipa-devel] [freeipa PR#575][closed] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From freeipa-github-notification at redhat.com Mon Mar 27 06:48:59 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 08:48:59 +0200 Subject: [Freeipa-devel] [freeipa PR#575][reopened] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From freeipa-github-notification at redhat.com Mon Mar 27 06:56:15 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 08:56:15 +0200 Subject: [Freeipa-devel] [freeipa PR#639][+pushed] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 06:56:19 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 08:56:19 +0200 Subject: [Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users martbab commented: """ master: * 1dcdcd12f4336c98e7507fe0e7f0c0da2bc69eba WebUI: check principals in lowercase * 2992e3c5d480567cfdc71b38365d5d74f009b4d2 WebUI: add method for disabling item in user dropdown menu * ceedc3f7ecb1300ed5bfaf5db8ef1b1450c6288e WebUI: Add support for login for AD users ipa-4-5: * bee9c9f090e7808a2381054fa63c1d036743296c WebUI: check principals in lowercase * 01a0a38bdf53821bc420f01dc98fae577f83eabb WebUI: add method for disabling item in user dropdown menu * 228e039e7d718ced7dce7c32cca3a89404c0a16e WebUI: Add support for login for AD users """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-289369118 From freeipa-github-notification at redhat.com Mon Mar 27 06:56:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 08:56:22 +0200 Subject: [Freeipa-devel] [freeipa PR#639][closed] WebUI: Login for AD Users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 From freeipa-github-notification at redhat.com Mon Mar 27 07:02:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:02:58 +0200 Subject: [Freeipa-devel] [freeipa PR#634][+pushed] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 07:03:01 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:03:01 +0200 Subject: [Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find martbab commented: """ master: * 6de507c2cad255975665eca6dd6ef7c8f2458d51 cert: do not limit internal searches in cert-find ipa-4-5: * 6382f9eee335907362a5ccb44b892f59de7d3751 cert: do not limit internal searches in cert-find """ See the full comment at https://github.com/freeipa/freeipa/pull/634#issuecomment-289370236 From freeipa-github-notification at redhat.com Mon Mar 27 07:03:05 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:03:05 +0200 Subject: [Freeipa-devel] [freeipa PR#634][closed] cert: do not limit internal searches in cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/634 Author: HonzaCholasta Title: #634: cert: do not limit internal searches in cert-find Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/634/head:pr634 git checkout pr634 From freeipa-github-notification at redhat.com Mon Mar 27 07:04:17 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 09:04:17 +0200 Subject: [Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin dkupka commented: """ I've tested the patches and it worked as expected. Once CI successfully finishes I'll ACK it. """ See the full comment at https://github.com/freeipa/freeipa/pull/575#issuecomment-289370441 From freeipa-github-notification at redhat.com Mon Mar 27 07:06:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 09:06:48 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification stlaz commented: """ @tiran Could you please finish the review? I guess we can omit the change in `.spec.in` for the review time being. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289370833 From freeipa-github-notification at redhat.com Mon Mar 27 07:23:21 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 09:23:21 +0200 Subject: [Freeipa-devel] [freeipa PR#644][closed] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 From freeipa-github-notification at redhat.com Mon Mar 27 07:23:25 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 09:23:25 +0200 Subject: [Freeipa-devel] [freeipa PR#644][reopened] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 From freeipa-github-notification at redhat.com Mon Mar 27 07:43:34 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:43:34 +0200 Subject: [Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-631.patch Type: text/x-diff Size: 272805 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 07:44:32 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:44:32 +0200 Subject: [Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-631.patch Type: text/x-diff Size: 4696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 07:45:27 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Mar 2017 09:45:27 +0200 Subject: [Freeipa-devel] [freeipa PR#631][comment] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal martbab commented: """ I have prepared a more thorough fix which should cover more edge cases. """ See the full comment at https://github.com/freeipa/freeipa/pull/631#issuecomment-289378096 From freeipa-github-notification at redhat.com Mon Mar 27 07:49:54 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 09:49:54 +0200 Subject: [Freeipa-devel] [freeipa PR#575][+ack] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 07:53:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Mar 2017 09:53:11 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ @stlaz, `NSSDatabase.publish_ca_cert()` and `CertDB.publish_ca_cert()` become unused after your changes, could we remove them? """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-289379575 From freeipa-github-notification at redhat.com Mon Mar 27 07:53:37 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 09:53:37 +0200 Subject: [Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin dkupka commented: """ master: * da880decfedc66f9d0d2734dcb86c23a8866f603 ipa-kdb: add ipadb_fetch_principals_with_extra_filter() * c4156041feb9c48598427ad59e43313b9c7327bb IPA certauth plugin ipa-4-5: * cfaaf4e821338dbc146dd49d3c22978165d2e329 ipa-kdb: add ipadb_fetch_principals_with_extra_filter() * 5a1ce1fbaa6c7a85bd1bee2a70b8b22509ede7c7 IPA certauth plugin """ See the full comment at https://github.com/freeipa/freeipa/pull/575#issuecomment-289379658 From freeipa-github-notification at redhat.com Mon Mar 27 07:53:40 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 09:53:40 +0200 Subject: [Freeipa-devel] [freeipa PR#575][closed] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From freeipa-github-notification at redhat.com Mon Mar 27 07:53:42 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 09:53:42 +0200 Subject: [Freeipa-devel] [freeipa PR#575][+pushed] IPA certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 08:06:25 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 10:06:25 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bopened=5D_http?= =?utf-8?q?instance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Action: opened PR body: """ ?is not available Server installation failed when attmpting to disable module 'Root Certs' and the module was not available in HTTP_ALIAS_DIR. When the module is not available there's no need to disable it and the error may be treated as success. https://pagure.io/freeipa/issue/6803 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-655.patch Type: text/x-diff Size: 1606 bytes Desc: not available URL: From tkrizek at redhat.com Mon Mar 27 08:12:50 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 27 Mar 2017 10:12:50 +0200 Subject: [Freeipa-devel] Announcing FreeIPA 4.4.4 In-Reply-To: <03a0c3e1-a1f6-638f-e550-abff5f8c846f@redhat.com> References: <03a0c3e1-a1f6-638f-e550-abff5f8c846f@redhat.com> Message-ID: <7a5d1eb1-c36b-124e-5f69-88a3bb1fafba@redhat.com> On 03/23/2017 07:15 PM, Martin Basti wrote: > > Release date: 2017-03-23 > > The FreeIPA team would like to announce FreeIPA 4.4.4 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. > Builds for > Fedora 24 will be available in the official COPR repository > . > > This announcement is also available > at. > > > == Highlights in 4.4.4 == > === Enhancements === > === Known Issues === > === Bug fixes === > FreeIPA 4.4.4 is a stabilization release for the features delivered as a > part of 4.4.0. > > == Upgrading == > Upgrade instructions are available on [[Upgrade]] page. > > == Feedback == > Please provide comments, bugs and other feedback via the freeipa-users > mailing > list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa > channel on Freenode. > > == Resolved tickets == > * 6776 krb5 1.15 broke DAL principal free > * 6738 Ipa-kra-install fails with weird output when backspace is used > during typing Directory Manager password > * 6713 ipa: Insufficient permission check for ca-del, ca-disable and > ca-enable commands (CVE-2017-2590) > * 6647 batch param compatibility is incorrect > * 6608 IPA server installation should check if IPv6 stack is enabled > * 6600 Legacy client tests doesn't have tree domain role. > * 6588 replication race condition prevents IPA to install > * 6575 ipa-replica-install fails on requesting DS cert when master is > not configured with IPv6 > * 6070 ipa-replica-install fails to install when resolv.conf > incomplete entries > == Detailed changelog since 4.4.3 == > === Alexander Bokovoy (1) === > * ipa-kdb: support KDB DAL version 6.1 > > === David Kupka (1) === > * ipapython.ipautil.nolog_replace: Do not replace empty value > > === Florence Blanc-Renaud (1) === > * Do not configure PKI ajp redirection to use "::1" > > === Fraser Tweedale (2) === > * ca: correctly authorise ca-del, ca-enable and ca-disable > * Set up DS TLS on replica in CA-less topology > > === Ganna Kaihorodova (1) === > * Tests: Add tree root domain role in legacy client tests > > === Jan Cholasta (1) === > * compat: fix `Any` params in `batch` and `dnsrecord` > > === Martin Basti (7) === > * Become IPA 4.4.4 > * Update Contributors.txt > * FreeIPA 4.4.4 translations > * Bump python-dns to improve processing of non-complete resolv.conf > * Use proper logging for error messages > * Wait until HTTPS principal entry is replicated to replica > * wait_for_entry: use only DN as parameter > > === Stanislav Laznicka (2) === > * Add debug log in case cookie retrieval went wrong > * Fix cookie with Max-Age processing > > === Tomas Krizek (1) === > * server install: require IPv6 stack to be enabled > > === Thorsten Scherf (1) === > * added ssl verification using IPA trust anchor > > > FreeIPA 4.4.4 was released to rawhide, F26 and F25. F25: https://bodhi.fedoraproject.org/updates/freeipa-4.4.4-1.fc25 F26: build is currently failing, will be resolved after alpha freeze (blocked by [1]) [1] - https://pagure.io/389-ds-base/issue/49177 -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From tkrizek at redhat.com Mon Mar 27 08:13:51 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 27 Mar 2017 10:13:51 +0200 Subject: [Freeipa-devel] Announcing FreeIPA 4.3.3 In-Reply-To: References: Message-ID: On 03/23/2017 08:06 PM, Martin Basti wrote: > > Release date: 2017-03-23 > > The FreeIPA team would like to announce FreeIPA 4.3.3 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. > > Please note that this is the last upstream release of FreeIPA 4.3.x > branch. > > This announcement is also available at > . > > > == Highlights in 4.3.3 == > === Enhancements === > === Known Issues === > === Bug fixes === > FreeIPA 4.3.3 is a stabilization release for the features delivered as a > part of 4.3.0. There are more than 20 bug-fixes which details can be > seen in > the list of resolved tickets below. > > == Upgrading == > Upgrade instructions are available on [[Upgrade]] page. > > == Feedback == > Please provide comments, bugs and other feedback via the freeipa-users > mailing > list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa > channel on Freenode. > > == Resolved tickets == > * 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies > * 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized > services by abusing password policy > * 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in > certprofile-mod > * 6485 Document make_delete_command method in UserTracker > * 6378 Tests: Fix failing sudo test > * 6317 backport #6213 Incorrect test for > DNSForwardPolicyConflictWithEmptyZone warning in > test_xmlrpc/test_dns_plugin > * 6316 backport #6199 Received ACIError instead of DuplicatedError in > stageuser_tests > * 6311 Fix or remove the `LDAPUpdate.update_from_dict` method > * 6287 Refer to nodes in TestWrongClientDomain replica promotion tests > as replicas > * 6284 Tests: avoid skipping tests because of missing files when > running as outoftree > * 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298) > * 6262 Fix integration sudo tests setup and checks > * 6254 kinit_admin raises an exception if server uninstallation is > called from test teardown with server not installed > * 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires > * 6205 The ipa-server-upgrade command failed when named-pkcs11 does > not happen to run during dnf upgrade > * 6177 ca-less test are broken - invalid usage of ipautil.run > * 6167 Incorrect domainlevel info in tests > * 6166 Subsequent external CA installation fails > * 6147 Failing automember tests due to manager output normalization > * 6134 Command "ipa-replica-prepare" not allowed to create line > replication topology > * 6120 ipa-adtrust-install: when running with --netbios-name="", the > NetBIOS name is changed without notification > * 6076 Mulitple domain Active Directory Trust conflict > * 6056 custodia.conf and server.keys file is world-readable. > * 6016 ipa-ca-install on replica tries to connect to master:8443 > * 5696 Add conflicts with bind-chroot to spec. > == Detailed changelog since 4.3.2 == > === Alexander Bokovoy (5) === > * ipa-kdb: search for password policies globally > * ipa-kdb: simplify trusted domain parent search > * trust: make sure ID range is created for the child domain even if it > exists > * trust: automatically resolve DNS trust conflicts for triangle trusts > * ipaserver/dcerpc: reformat to make the code closer to pep8 > > === Christian Heimes (3) === > * Use RSA-OAEP instead of RSA PKCS#1 v1.5 > * Secure permissions of Custodia server.keys > * RedHatCAService should wait for local Dogtag instance > > === David Kupka (1) === > * password policy: Add explicit default password policy for hosts and > services > > === Fraser Tweedale (2) === > * certprofile-mod: correctly authorise config update > * cert-revoke: fix permission check bypass (CVE-2016-5404) > > === Ganna Kaihorodova (1) === > * Fix for integration tests replication layouts > > === Jan Cholasta (2) === > * Revert "spec: add conflict with bind-chroot to freeipa-server-dns" > * install: fix external CA cert validation > > === Lenka Doudova (7) === > * Document make_delete_command method in UserTracker > * Tests: Fix integration sudo test > * Tests: Fix integration sudo tests setup and checks > * Tests: Avoid skipping tests due to missing files > * Raise error when running ipa-adtrust-install with empty netbios--name > * Tests: Fix failing automember tests > * Tests: Remove DNS configuration from trust tests > > === Martin Babinsky (1) === > * add python-libsss_nss_idmap and python-sss to BuildRequires > > === Martin Basti (5) === > * Become IPA 4.3.3 > * Update Contributors.txt > * Raise DuplicatedEnrty error when user exists in delete_container > * Catch DNS exceptions during emptyzones named.conf upgrade > * Start named during configuration upgrade. > > === Oleg Fayans (3) === > * Changed addressing to the client hosts to be replicas > * Disabled raiseonerr in kinit call during topology level check > * Fixed incorrect domainlevel determination in tests > > === Peter Lacko (1) === > * Test URIs in certificate. > > === Petr Spacek (3) === > * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin > * DNS server upgrade: do not fail when DNS server did not respond > * Fix ipa-replica-prepare's error message about missing local CA instance > > === Petr Vobornik (1) === > * ca-less tests: fix getting cert in pem format from nssdb > > === Stanislav Laznicka (3) === > * Add debug log in case cookie retrieval went wrong > * Fix cookie with Max-Age processing > * Remove update_from_dict() method > > === Tomas Krizek (1) === > * Keep NSS trust flags of existing certificates > > > > FreeIPA 4.3.3 was released to Fedora 24. F24: https://bodhi.fedoraproject.org/updates/freeipa-4.3.3-1.fc24 -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Mar 27 08:44:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Mar 2017 10:44:41 +0200 Subject: [Freeipa-devel] [freeipa PR#616][reopened] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 From freeipa-github-notification at redhat.com Mon Mar 27 08:44:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Mar 2017 10:44:44 +0200 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ I guess you must have missed my last comment about the PR being almost OK - reopening. """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-289390708 From freeipa-github-notification at redhat.com Mon Mar 27 08:44:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Mar 2017 10:44:50 +0200 Subject: [Freeipa-devel] [freeipa PR#616][-rejected] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: -rejected From freeipa-github-notification at redhat.com Mon Mar 27 08:47:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 10:47:59 +0200 Subject: [Freeipa-devel] [freeipa PR#656][opened] Backup CA cert from kerberos folder Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Author: stlaz Title: #656: Backup CA cert from kerberos folder Action: opened PR body: """ I have no idea how I missed this file in previous backup fixing attempts. https://pagure.io/freeipa/issue/6748 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/656/head:pr656 git checkout pr656 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-656.patch Type: text/x-diff Size: 791 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 08:49:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 10:49:08 +0200 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache tiran commented: """ I did not miss https://github.com/freeipa/freeipa/pull/616#issuecomment-287739826 """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-289391731 From freeipa-github-notification at redhat.com Mon Mar 27 10:06:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 12:06:50 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: [WIP] Tox testing support for client wheel packages tiran commented: """ Tox testing should also be integrated into Travis CI to catch bugs like https://pagure.io/freeipa/issue/6816. The tox script will automatically test features like ```./configure --disable-server```, ```bdist_wheel``` and ```wheel_bundle```. """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-289410234 From freeipa-github-notification at redhat.com Mon Mar 27 10:21:31 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 12:21:31 +0200 Subject: [Freeipa-devel] [freeipa PR#657][opened] configure: fix --disable-server with certauth plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Author: sumit-bose Title: #657: configure: fix --disable-server with certauth plugin Action: opened PR body: """ Resolves https://pagure.io/freeipa/issue/6816 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/657/head:pr657 git checkout pr657 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-657.patch Type: text/x-diff Size: 1997 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 10:22:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:22:26 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ Hm, I believe the `-list` operation was there just to check whether the module is there. If `modutil` fails like this no matter the situation, it'd be better to just try to disable it whatever happens and go away with "meh, so what" if the disable fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289413533 From freeipa-github-notification at redhat.com Mon Mar 27 10:22:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:22:59 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ Hm, I believe the `-list` operation was there just to check whether the module is there. If `modutil` fails like this no matter the situation, it'd be better to just try to disable it whatever happens and go away with "meh, so what" if the disable fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289413533 From freeipa-github-notification at redhat.com Mon Mar 27 10:24:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:24:20 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ For the record: ```bash [slaznick at vm-066 ~]$ sudo modutil -dbdir nssdb/ -disable 'Root Certs' -force ERROR: Module "Root Certs" not found in database. [slaznick at machine ~]$ echo $? 29 [slaznick at machine ~]$ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289413925 From freeipa-github-notification at redhat.com Mon Mar 27 10:24:31 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:24:31 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ For the record: ```bash [slaznick at vm-066 ~]$ sudo modutil -dbdir nssdb/ -disable 'Root Certs' -force ERROR: Module "Root Certs" not found in database. [slaznick at machine ~]$ echo $? 29 [slaznick at machine ~]$ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289413925 From freeipa-github-notification at redhat.com Mon Mar 27 10:32:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 12:32:15 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? tiran commented: """ @stlaz The broad except also catches and ignores typos in the command line or missing ```modutil``` binary. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289415627 From freeipa-github-notification at redhat.com Mon Mar 27 10:34:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:34:40 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ @tiran I of course agree on narrowing the broad except down, my point is we should rather remove the whole `-list` part and just try to do `-disable`. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289416128 From freeipa-github-notification at redhat.com Mon Mar 27 10:37:09 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 12:37:09 +0200 Subject: [Freeipa-devel] [freeipa PR#657][synchronized] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Author: sumit-bose Title: #657: configure: fix --disable-server with certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/657/head:pr657 git checkout pr657 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-657.patch Type: text/x-diff Size: 2046 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 10:39:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 12:39:44 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ @tiran I of course agree on narrowing the broad except down, my point is we should rather remove the whole `-list` part and just try to do `-disable`. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289416128 From freeipa-github-notification at redhat.com Mon Mar 27 10:43:21 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 27 Mar 2017 12:43:21 +0200 Subject: [Freeipa-devel] [freeipa PR#657][comment] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin lslebodn commented: """ `AM_CONDITIONAL` need to be executed every time. So just `AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN]` need to be moved from sever.m4 -> configure.ac. The best would be to build somewhere after `m4_include(server.m4)` """ See the full comment at https://github.com/freeipa/freeipa/pull/657#issuecomment-289417730 From freeipa-github-notification at redhat.com Mon Mar 27 10:43:49 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 27 Mar 2017 12:43:49 +0200 Subject: [Freeipa-devel] [freeipa PR#657][comment] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin lslebodn commented: """ `AM_CONDITIONAL` need to be executed every time. So just `AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN]` need to be moved from sever.m4 -> configure.ac. The best would be to build somewhere after `m4_include(server.m4)` """ See the full comment at https://github.com/freeipa/freeipa/pull/657#issuecomment-289417730 From freeipa-github-notification at redhat.com Mon Mar 27 10:53:52 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 12:53:52 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bsynchronized?= =?utf-8?q?=5D_httpinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_?= =?utf-8?b?bW9kdWxlICdSb290IENlcnRzJyDigKY=?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-655.patch Type: text/x-diff Size: 1612 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 11:08:41 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 13:08:41 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? dkupka commented: """ @tiran @stlaz Makes sense. I will update it accordingly. Thanks for suggestions. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289422724 From freeipa-github-notification at redhat.com Mon Mar 27 11:10:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 13:10:34 +0200 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules MartinBasti commented: """ Please update release notes (changelog) """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289423071 From freeipa-github-notification at redhat.com Mon Mar 27 11:10:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 13:10:42 +0200 Subject: [Freeipa-devel] [freeipa PR#617][+ack] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 11:11:35 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 27 Mar 2017 13:11:35 +0200 Subject: [Freeipa-devel] [freeipa PR#658][opened] Hide PKI Client database password in log file Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Author: Akasurde Title: #658: Hide PKI Client database password in log file Action: opened PR body: """ Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/658/head:pr658 git checkout pr658 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-658.patch Type: text/x-diff Size: 971 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 11:18:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Mar 2017 13:18:03 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? HonzaCholasta commented: """ @stlaz, you can't do just `-disable`, as that would break upgrade (note that the `-list` is there because `-disable` always reports success). """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289424502 From freeipa-github-notification at redhat.com Mon Mar 27 11:22:14 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Mon, 27 Mar 2017 13:22:14 +0200 Subject: [Freeipa-devel] [freeipa PR#657][synchronized] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Author: sumit-bose Title: #657: configure: fix --disable-server with certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/657/head:pr657 git checkout pr657 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-657.patch Type: text/x-diff Size: 4754 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 11:28:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 13:28:24 +0200 Subject: [Freeipa-devel] [freeipa PR#657][comment] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin tiran commented: """ LGTM I verified that the PR fixes * --disable-server * --enable-server with old version of krb5 that does not have ```krb5/certauth_plugin.h``` """ See the full comment at https://github.com/freeipa/freeipa/pull/657#issuecomment-289426483 From freeipa-github-notification at redhat.com Mon Mar 27 11:38:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 13:38:10 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ @HonzaCholasta You're right, I completely forgot about that one. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289428384 From freeipa-github-notification at redhat.com Mon Mar 27 11:48:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 13:48:23 +0200 Subject: [Freeipa-devel] [freeipa PR#653][+ack] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 11:52:54 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 13:52:54 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bsynchronized?= =?utf-8?q?=5D_httpinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_?= =?utf-8?b?bW9kdWxlICdSb290IENlcnRzJyDigKY=?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-655.patch Type: text/x-diff Size: 1714 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 11:54:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 13:54:18 +0200 Subject: [Freeipa-devel] [freeipa PR#619][+ack] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 11:57:07 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 13:57:07 +0200 Subject: [Freeipa-devel] [freeipa PR#657][+ack] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 12:32:20 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 14:32:20 +0200 Subject: [Freeipa-devel] [freeipa PR#659][opened] WebUI: Allow to add certs to certmapping with CERT LINES around Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Author: pvomacka Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Action: opened PR body: """ The certificate to the certmapping might be inserted as base64 encoded blob. This patch allows to also insert the certificate blob with surrounding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. This behavior is the same in widget for assigning certificates to users, so the change helps WebUI to be more consistent. https://pagure.io/freeipa/issue/6772 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/659/head:pr659 git checkout pr659 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-659.patch Type: text/x-diff Size: 2440 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 12:38:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 14:38:49 +0200 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules stlaz commented: """ Changelogs were updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289440947 From freeipa-github-notification at redhat.com Mon Mar 27 12:57:10 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 27 Mar 2017 14:57:10 +0200 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ LGTM to me. @simo5 explained that `expiry=...` substring is part of the actual cookie `mod_session` adds (it is timestamp in nanonseconds) -- Cookie class does not see it, so it has to be removed separately in the last commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289445234 From freeipa-github-notification at redhat.com Mon Mar 27 12:57:22 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 27 Mar 2017 14:57:22 +0200 Subject: [Freeipa-devel] [freeipa PR#649][+ack] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 14:14:38 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Mar 2017 16:14:38 +0200 Subject: [Freeipa-devel] [freeipa PR#660][opened] rpcserver.login_x509: Actually return reply from __call__ method Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: opened PR body: """ __call__ didn't return causing internal error in wsgi application. Previously this bug was hidden by some other error and the code worked even though it shouldn't. https://pagure.io/freeipa/issue/6225 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-660.patch Type: text/x-diff Size: 1032 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 14:42:08 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 16:42:08 +0200 Subject: [Freeipa-devel] [freeipa PR#641][comment] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default stlaz commented: """ This change of default behavior seems to have removed a lot of write-load from DS so I believe we should go with it. However, add comment about it to the issue "changelog", please. """ See the full comment at https://github.com/freeipa/freeipa/pull/641#issuecomment-289474747 From freeipa-github-notification at redhat.com Mon Mar 27 14:42:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 16:42:12 +0200 Subject: [Freeipa-devel] [freeipa PR#641][+ack] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 14:55:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Mar 2017 16:55:57 +0200 Subject: [Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file stlaz commented: """ You will need to do something similar in `ipaserver/install/krainstance.py` as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-289479183 From freeipa-github-notification at redhat.com Mon Mar 27 15:37:49 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 27 Mar 2017 17:37:49 +0200 Subject: [Freeipa-devel] [freeipa PR#658][synchronized] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Author: Akasurde Title: #658: Hide PKI Client database password in log file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/658/head:pr658 git checkout pr658 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-658.patch Type: text/x-diff Size: 2468 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Mar 27 15:58:14 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 17:58:14 +0200 Subject: [Freeipa-devel] [freeipa PR#657][comment] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin pvomacka commented: """ ipa-4-5: * 203d5416ce807f5cdcf9e2431feef84d49b3df61 configure: fix --disable-server with certauth plugin * 8fde0b88d7c9360e16820d6086eba3e3ca0eee1e ipa-kdb: do not depend on certauth_plugin.h master: * 054f1bd78b04a79f765f524f829b34c0ee252a1b configure: fix --disable-server with certauth plugin * 0ba0c0781367d8e2d4affca29e3cf5ab93c4c33a ipa-kdb: do not depend on certauth_plugin.h """ See the full comment at https://github.com/freeipa/freeipa/pull/657#issuecomment-289498536 From freeipa-github-notification at redhat.com Mon Mar 27 15:58:18 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 17:58:18 +0200 Subject: [Freeipa-devel] [freeipa PR#657][+pushed] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 15:58:22 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 17:58:22 +0200 Subject: [Freeipa-devel] [freeipa PR#657][closed] configure: fix --disable-server with certauth plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/657 Author: sumit-bose Title: #657: configure: fix --disable-server with certauth plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/657/head:pr657 git checkout pr657 From freeipa-github-notification at redhat.com Mon Mar 27 16:04:14 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:04:14 +0200 Subject: [Freeipa-devel] [freeipa PR#619][+pushed] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:04:18 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:04:18 +0200 Subject: [Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility pvomacka commented: """ master: * dd6b72e418eba01cc9eb9a7305291bf141b9eadf pytest 3.x compatibility """ See the full comment at https://github.com/freeipa/freeipa/pull/619#issuecomment-289500363 From freeipa-github-notification at redhat.com Mon Mar 27 16:04:21 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:04:21 +0200 Subject: [Freeipa-devel] [freeipa PR#619][closed] pytest 3.x compatibility In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/619 Author: tiran Title: #619: pytest 3.x compatibility Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/619/head:pr619 git checkout pr619 From freeipa-github-notification at redhat.com Mon Mar 27 16:10:49 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:10:49 +0200 Subject: [Freeipa-devel] [freeipa PR#470][+pushed] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:10:54 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:10:54 +0200 Subject: [Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvomacka commented: """ ipa-4-5: * 422c9058d9a6be69db4eab7db654b9184ae5eab6 WebUI: Add support for suppressing warnings * 697a5779b377a5d76c1cb212514b6feb46326f71 WebUI: suppress truncation warning in select widget master: * 7b3a10da7001d7ee394cd891d926def66d0f2546 WebUI: Add support for suppressing warnings * b9e6ad1967ba24c7ebe5181da1ebe32d30e7b28f WebUI: suppress truncation warning in select widget """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-289502331 From freeipa-github-notification at redhat.com Mon Mar 27 16:10:55 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:10:55 +0200 Subject: [Freeipa-devel] [freeipa PR#470][closed] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 From freeipa-github-notification at redhat.com Mon Mar 27 16:20:32 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:20:32 +0200 Subject: [Freeipa-devel] [freeipa PR#651][+pushed] WebUI: Fix showing vault in selfservice view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:20:39 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:20:39 +0200 Subject: [Freeipa-devel] [freeipa PR#651][comment] WebUI: Fix showing vault in selfservice view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view pvomacka commented: """ ipa-4-5: * 7b3cb1ccad28a1fd17803bdd7dd245bdfee9a046 WebUI: Fix showing vault in selfservice view master: * ab6d7ac50a93efa6a9e3566dbe07b34a23c41cce WebUI: Fix showing vault in selfservice view """ See the full comment at https://github.com/freeipa/freeipa/pull/651#issuecomment-289505248 From freeipa-github-notification at redhat.com Mon Mar 27 16:20:42 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:20:42 +0200 Subject: [Freeipa-devel] [freeipa PR#651][closed] WebUI: Fix showing vault in selfservice view In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/651 Author: pvomacka Title: #651: WebUI: Fix showing vault in selfservice view Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/651/head:pr651 git checkout pr651 From freeipa-github-notification at redhat.com Mon Mar 27 16:25:56 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:25:56 +0200 Subject: [Freeipa-devel] [freeipa PR#641][+pushed] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:26:00 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:26:00 +0200 Subject: [Freeipa-devel] [freeipa PR#641][comment] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default pvomacka commented: """ ipa-4-5: * fdcd5f486839d9279dcba74b74f7756ace5812fa Set "KDC:Disable Last Success" by default master: * eeaf428b1befc37489ed5ee14ae193b46cbd1db7 Set "KDC:Disable Last Success" by default """ See the full comment at https://github.com/freeipa/freeipa/pull/641#issuecomment-289506802 From freeipa-github-notification at redhat.com Mon Mar 27 16:26:04 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:26:04 +0200 Subject: [Freeipa-devel] [freeipa PR#641][closed] Set "KDC:Disable Last Success" by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/641 Author: MartinBasti Title: #641: Set "KDC:Disable Last Success" by default Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/641/head:pr641 git checkout pr641 From freeipa-github-notification at redhat.com Mon Mar 27 16:31:39 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 27 Mar 2017 18:31:39 +0200 Subject: [Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around flo-renaud commented: """ Hi @pvomacka , thank you for the patch, it works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289508460 From freeipa-github-notification at redhat.com Mon Mar 27 16:32:00 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:32:00 +0200 Subject: [Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 16:34:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 18:34:46 +0200 Subject: [Freeipa-devel] [freeipa PR#645][comment] Create temporaty directories at the begining of uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Title: #645: Create temporaty directories at the begining of uninstall MartinBasti commented: """ Not the nicest but good enough for now """ See the full comment at https://github.com/freeipa/freeipa/pull/645#issuecomment-289509303 From freeipa-github-notification at redhat.com Mon Mar 27 16:34:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 18:34:51 +0200 Subject: [Freeipa-devel] [freeipa PR#645][+ack] Create temporaty directories at the begining of uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Title: #645: Create temporaty directories at the begining of uninstall Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 16:41:01 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 27 Mar 2017 18:41:01 +0200 Subject: [Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around pvoborni commented: """ Code LGTM, ACK give that it works for @flo-renaud """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289511086 From freeipa-github-notification at redhat.com Mon Mar 27 16:41:10 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 27 Mar 2017 18:41:10 +0200 Subject: [Freeipa-devel] [freeipa PR#659][+ack] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 16:43:44 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:43:44 +0200 Subject: [Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ Please change ticket to this one: https://pagure.io/freeipa/issue/6819 """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289511868 From freeipa-github-notification at redhat.com Mon Mar 27 16:45:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:45:51 +0200 Subject: [Freeipa-devel] [freeipa PR#643][-ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: -ack From freeipa-github-notification at redhat.com Mon Mar 27 16:46:31 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:46:31 +0200 Subject: [Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ Please create new ticket and use it. The ticket you used is in already closed milestone. """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289512585 From freeipa-github-notification at redhat.com Mon Mar 27 16:49:26 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:49:26 +0200 Subject: [Freeipa-devel] [freeipa PR#659][+pushed] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:49:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:49:30 +0200 Subject: [Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around pvomacka commented: """ ipa-4-5: * eda23a9847197513555f6237b46c658365dfc12d WebUI: Allow to add certs to certmapping with CERT LINES around master: * 84b38b6793cbc45d36c39abf79893e22e90baac6 WebUI: Allow to add certs to certmapping with CERT LINES around """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289513389 From freeipa-github-notification at redhat.com Mon Mar 27 16:49:33 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:49:33 +0200 Subject: [Freeipa-devel] [freeipa PR#659][closed] WebUI: Allow to add certs to certmapping with CERT LINES around In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/659 Author: pvomacka Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/659/head:pr659 git checkout pr659 From freeipa-github-notification at redhat.com Mon Mar 27 16:51:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 18:51:37 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ ACK, however webUI is still not working after restore """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289514024 From freeipa-github-notification at redhat.com Mon Mar 27 16:51:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 18:51:41 +0200 Subject: [Freeipa-devel] [freeipa PR#656][+ack] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder Label: +ack From freeipa-github-notification at redhat.com Mon Mar 27 16:51:58 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:51:58 +0200 Subject: [Freeipa-devel] [freeipa PR#653][comment] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation pvomacka commented: """ ipa-4-5: * 41ff57b81807f6747b098f1ed2c281031e22bbae Bump samba version for FIPS and priv. separation master: * b7ae3363fd5bb1bf3b3175395d5bd3d26c9b48f0 Bump samba version for FIPS and priv. separation """ See the full comment at https://github.com/freeipa/freeipa/pull/653#issuecomment-289514129 From freeipa-github-notification at redhat.com Mon Mar 27 16:52:01 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:52:01 +0200 Subject: [Freeipa-devel] [freeipa PR#653][+pushed] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 16:52:02 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 18:52:02 +0200 Subject: [Freeipa-devel] [freeipa PR#653][closed] Bump samba version for FIPS and priv. separation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/653 Author: stlaz Title: #653: Bump samba version for FIPS and priv. separation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/653/head:pr653 git checkout pr653 From freeipa-github-notification at redhat.com Mon Mar 27 16:53:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 18:53:02 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ ``` mod_wsgi (pid=4398): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/share/ipa/wsgi.py", line 51, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__ return self.route(environ, start_response) File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route return app(environ, start_response) File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 913, in __call__ self.kinit(user_principal, password, ipa_ccache_name) File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 947, in kinit kinit_armor(armor_path) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_4398' returned non-zero exit status 1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289514455 From freeipa-github-notification at redhat.com Mon Mar 27 17:05:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Mar 2017 19:05:24 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 MartinBasti commented: """ ``` ipa-replica-install --no-pkinit (as negative test without master installed) 2017-03-27T17:04:09Z DEBUG Logging to /var/log/ipareplica-install.log 2017-03-27T17:04:09Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 314, in run cfgr = transformed_cls(**kwargs) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 102, in __init__ **kwargs) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 602, in __init__ super(ServerReplicaInstall, self).__init__(**kwargs) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 338, in __init__ if self.domain_level == constants.DOMAIN_LEVEL_0: File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 611, in __getattr__ raise AttributeError(name) 2017-03-27T17:04:09Z DEBUG The ipa-replica-install command failed, exception: AttributeError: domain_level ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289517964 From freeipa-github-notification at redhat.com Mon Mar 27 17:08:58 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 19:08:58 +0200 Subject: [Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules pvomacka commented: """ ipa-4-5: * 28db6cd40100c6301121e3f82c074624fe53729c Reworked the renaming mechanism * 85f2a19f88eef94ff080a42246658f572b5275f4 Allow renaming of the HBAC rule objects * 7d3229bfb88f0fdc559245c8741563faba716106 Allow renaming of the sudorule objects master: * 8e4408e6784f929b4c3d861f0dd509335238e951 Reworked the renaming mechanism * 55424c8677ba7de464c820afd31260aa4a7678d0 Allow renaming of the HBAC rule objects * 8c1409155e9a9a978d3d763045a84d1eac585dfd Allow renaming of the sudorule objects """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289518952 From freeipa-github-notification at redhat.com Mon Mar 27 17:09:01 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 19:09:01 +0200 Subject: [Freeipa-devel] [freeipa PR#617][closed] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 From freeipa-github-notification at redhat.com Mon Mar 27 17:09:03 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Mar 2017 19:09:03 +0200 Subject: [Freeipa-devel] [freeipa PR#617][+pushed] Allow renaming of sudo and HBAC rules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules Label: +pushed From freeipa-github-notification at redhat.com Mon Mar 27 20:54:22 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 27 Mar 2017 22:54:22 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists lslebodn commented: """ FYI: `/etc/krb5.conf.d` is not default include directory it is fedora/el7 specific. debian testing has MIT kerberos 1.15 and `/etc/krb5.conf.d` does not exist there as is not included in /etc/krb5.conf. So +1 for @HonzaCholasta approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289583003 From freeipa-github-notification at redhat.com Mon Mar 27 20:54:37 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 27 Mar 2017 22:54:37 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists lslebodn commented: """ FYI: `/etc/krb5.conf.d` is not default include directory it is fedora/el7 specific. debian testing has MIT kerberos 1.15 and `/etc/krb5.conf.d` does not exist there as is not included in /etc/krb5.conf. So +1 for @HonzaCholasta approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289583003 From freeipa-github-notification at redhat.com Mon Mar 27 21:13:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 23:13:59 +0200 Subject: [Freeipa-devel] [freeipa PR#517][edited] Use Custodia 0.3 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3 features Action: edited Changed field: title Original value: """ Use Custodia 0.3 features """ From freeipa-github-notification at redhat.com Mon Mar 27 21:14:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Mar 2017 23:14:47 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ 0.3.1 with fix for the space in URLs is out. * rawhide build https://koji.fedoraproject.org/koji/taskinfo?taskID=18637684 * F26 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18638045 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289588268 From freeipa-github-notification at redhat.com Tue Mar 28 06:38:36 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 08:38:36 +0200 Subject: [Freeipa-devel] [freeipa PR#660][synchronized] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-660.patch Type: text/x-diff Size: 1032 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 06:40:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 08:40:22 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ That's weird, I think it worked for me, I will check once more. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289677935 From freeipa-github-notification at redhat.com Tue Mar 28 06:47:14 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 08:47:14 +0200 Subject: [Freeipa-devel] [freeipa PR#645][+pushed] Create temporaty directories at the begining of uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Title: #645: Create temporaty directories at the begining of uninstall Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 06:47:17 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 08:47:17 +0200 Subject: [Freeipa-devel] [freeipa PR#645][comment] Create temporaty directories at the begining of uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Title: #645: Create temporaty directories at the begining of uninstall dkupka commented: """ master: * 3dcd3426310ccacdb1564ad7fe83358110a044f6 Create temporaty directories at the begining of uninstall ipa-4-5: * c0a395776f3c9e4f4612fa16bb6af40646c3cdbf Create temporaty directories at the begining of uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/645#issuecomment-289679099 From freeipa-github-notification at redhat.com Tue Mar 28 06:47:20 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 08:47:20 +0200 Subject: [Freeipa-devel] [freeipa PR#645][closed] Create temporaty directories at the begining of uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/645 Author: dkupka Title: #645: Create temporaty directories at the begining of uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/645/head:pr645 git checkout pr645 From freeipa-github-notification at redhat.com Tue Mar 28 07:01:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 09:01:41 +0200 Subject: [Freeipa-devel] [freeipa PR#652][+ack] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 07:02:34 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 09:02:34 +0200 Subject: [Freeipa-devel] [freeipa PR#652][+pushed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 07:02:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 09:02:37 +0200 Subject: [Freeipa-devel] [freeipa PR#652][closed] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/652 Author: flo-renaud Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/652/head:pr652 git checkout pr652 From freeipa-github-notification at redhat.com Tue Mar 28 07:02:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 09:02:40 +0200 Subject: [Freeipa-devel] [freeipa PR#652][comment] dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/652 Title: #652: dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function HonzaCholasta commented: """ master: * e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function ipa-4-5: * 8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function """ See the full comment at https://github.com/freeipa/freeipa/pull/652#issuecomment-289681810 From freeipa-github-notification at redhat.com Tue Mar 28 07:11:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 09:11:14 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Yes, it indeed works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289683317 From freeipa-github-notification at redhat.com Tue Mar 28 07:18:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 09:18:14 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Ah, right, replica does not have `domain_level` option ? """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289684664 From freeipa-github-notification at redhat.com Tue Mar 28 07:19:11 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 09:19:11 +0200 Subject: [Freeipa-devel] [freeipa PR#660][+ack] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 07:46:35 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Mar 2017 09:46:35 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5Bopened=5D_git-?= =?utf-8?q?commit-template=3A_update_ticket_url_to_use_pagure=2Eio_instead?= =?utf-8?b?IG9mIGZl4oCm?= Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? Action: opened PR body: """ ?dorahosted.org After the migration to pagure.io, tickets are accessed through another URL. In order to use the commit template: git config commit.template .git-commit-template https://pagure.io/freeipa/issue/6822 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-661.patch Type: text/x-diff Size: 815 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 08:01:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 10:01:59 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5B+ack=5D_git-co?= =?utf-8?q?mmit-template=3A_update_ticket_url_to_use_pagure=2Eio_instead_o?= =?utf-8?b?ZiBmZeKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 08:02:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 10:02:34 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5Bcomment=5D_git?= =?utf-8?q?-commit-template=3A_update_ticket_url_to_use_pagure=2Eio_instea?= =?utf-8?q?d_of_fe=E2=80=A6?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? stlaz commented: """ ACK, stopping the tests as the change does not have anything to do with our codebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289693993 From freeipa-github-notification at redhat.com Tue Mar 28 08:07:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 10:07:59 +0200 Subject: [Freeipa-devel] [freeipa PR#616][+ack] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 08:11:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 10:11:35 +0200 Subject: [Freeipa-devel] [freeipa PR#616][+pushed] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 08:12:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 10:12:59 +0200 Subject: [Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Title: #616: Simplify KRA transport cert cache HonzaCholasta commented: """ master: * abefb64bea8ea1b8487ad87716e4a335555d19dc Simplify KRA transport cert cache ipa-4-5: * 2723b5fa5edc75901c8fbaf110a37c87df0aec87 Simplify KRA transport cert cache """ See the full comment at https://github.com/freeipa/freeipa/pull/616#issuecomment-289696220 From freeipa-github-notification at redhat.com Tue Mar 28 08:13:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 10:13:03 +0200 Subject: [Freeipa-devel] [freeipa PR#616][closed] Simplify KRA transport cert cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/616 Author: tiran Title: #616: Simplify KRA transport cert cache Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/616/head:pr616 git checkout pr616 From freeipa-github-notification at redhat.com Tue Mar 28 08:33:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 10:33:27 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ I tried with DL0: * it may be different bug with DL0 * backup/restore is broken only with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289700819 From freeipa-github-notification at redhat.com Tue Mar 28 08:39:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 10:39:01 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ This seems like a pkinit-related issue, since pkinit is not finished (although released) and should be only avaialable on domain levels > 0, I don't think this should stop us from pushing this, I will investigate the issue nonetheless. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289702239 From freeipa-github-notification at redhat.com Tue Mar 28 08:51:09 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 10:51:09 +0200 Subject: [Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ @dkupka I created a new ticket: https://pagure.io/freeipa/issue/6823 """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289705221 From freeipa-github-notification at redhat.com Tue Mar 28 09:28:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 11:28:33 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder stlaz commented: """ Works for me on DL0 as well, you might have had a broken installation. """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289714596 From freeipa-github-notification at redhat.com Tue Mar 28 09:55:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 11:55:13 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder MartinBasti commented: """ Yeah and I found where, it fails with #640 This PR can be pushed and ticket closed """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289720981 From freeipa-github-notification at redhat.com Tue Mar 28 09:55:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 11:55:43 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 MartinBasti commented: """ With this PR applied I cannot use webUI with DL0 """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289721101 From freeipa-github-notification at redhat.com Tue Mar 28 10:33:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 12:33:05 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? stlaz commented: """ This fixes the mentioned issue. I did not test whether the actual disable works but I should hope so as I don't see how this could break it. """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289729611 From freeipa-github-notification at redhat.com Tue Mar 28 10:33:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 12:33:10 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5B+ack=5D_httpin?= =?utf-8?q?stance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_=27?= =?utf-8?b?Um9vdCBDZXJ0cycg4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 10:47:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 12:47:20 +0200 Subject: [Freeipa-devel] [freeipa PR#662][opened] spec file: bump krb5-devel BuildRequires for certauth Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Author: HonzaCholasta Title: #662: spec file: bump krb5-devel BuildRequires for certauth Action: opened PR body: """ Bump BuildRequires on krb5-devel to the version which introduces the certauth pluggable interface. This fixes RPM build failure when an older version of krb5-devel was installed. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/662/head:pr662 git checkout pr662 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-662.patch Type: text/x-diff Size: 1307 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 11:00:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 13:00:51 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ F25 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18643521 ``` $ fedpkg clone custodia $ cd custodia $ fedpkg switch-branch master $ fedpkg scratch-build --srpm --target f25 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289735201 From freeipa-github-notification at redhat.com Tue Mar 28 11:05:24 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 13:05:24 +0200 Subject: [Freeipa-devel] [freeipa PR#660][+pushed] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 11:05:27 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 13:05:27 +0200 Subject: [Freeipa-devel] [freeipa PR#660][closed] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 From freeipa-github-notification at redhat.com Tue Mar 28 11:05:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 13:05:30 +0200 Subject: [Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ ipa-4-5: * c80941e98bfd00c1c6e530aa4a592354adff8d90 rpcserver.login_x509: Actually return reply from __call__ method master: * 7e1fdd2c5881893fd9540689045a11f9e88beef9 rpcserver.login_x509: Actually return reply from __call__ method """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289736121 From freeipa-github-notification at redhat.com Tue Mar 28 11:08:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 13:08:49 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ The ipa-certauth plugin now starts to rely on the existence of ```/etc/krb5.conf.d```: ``` %config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth ``` **Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the offical FreeIPA configuation settings on all IPA enrolled systems. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289736798 From freeipa-github-notification at redhat.com Tue Mar 28 11:11:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 13:11:35 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Probably we should bump requires to custodia >= 0.3.1 """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289737346 From freeipa-github-notification at redhat.com Tue Mar 28 11:13:23 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:13:23 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5B+pushed=5D_git?= =?utf-8?q?-commit-template=3A_update_ticket_url_to_use_pagure=2Eio_instea?= =?utf-8?q?d_of_fe=E2=80=A6?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 11:13:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:13:26 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5Bcomment=5D_git?= =?utf-8?q?-commit-template=3A_update_ticket_url_to_use_pagure=2Eio_instea?= =?utf-8?q?d_of_fe=E2=80=A6?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? tomaskrizek commented: """ master: * f17460a34ce452b46d431850aa565efd6c7b23ba git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org """ See the full comment at https://github.com/freeipa/freeipa/pull/661#issuecomment-289737719 From freeipa-github-notification at redhat.com Tue Mar 28 11:13:29 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:13:29 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23661=5D=5Bclosed=5D_git-?= =?utf-8?q?commit-template=3A_update_ticket_url_to_use_pagure=2Eio_instead?= =?utf-8?b?IG9mIGZl4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/661 Author: flo-renaud Title: #661: git-commit-template: update ticket url to use pagure.io instead of fe? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/661/head:pr661 git checkout pr661 From freeipa-github-notification at redhat.com Tue Mar 28 11:17:25 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:17:25 +0200 Subject: [Freeipa-devel] [freeipa PR#656][comment] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder tomaskrizek commented: """ master: * dc13703e75997e0c9539b326acb13458dae00202 Backup CA cert from kerberos folder ipa-4-5: * 9fdc27ba3594e921d21d664fc5728292e52ac350 Backup CA cert from kerberos folder """ See the full comment at https://github.com/freeipa/freeipa/pull/656#issuecomment-289738530 From freeipa-github-notification at redhat.com Tue Mar 28 11:17:28 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:17:28 +0200 Subject: [Freeipa-devel] [freeipa PR#656][+pushed] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Title: #656: Backup CA cert from kerberos folder Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 11:17:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:17:31 +0200 Subject: [Freeipa-devel] [freeipa PR#656][closed] Backup CA cert from kerberos folder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/656 Author: stlaz Title: #656: Backup CA cert from kerberos folder Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/656/head:pr656 git checkout pr656 From freeipa-github-notification at redhat.com Tue Mar 28 11:19:01 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 28 Mar 2017 13:19:01 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists lslebodn commented: """ On (28/03/17 04:08), Christian Heimes wrote: >The ipa-certauth plugin now starts to rely on the existence of ```/etc/krb5.conf.d```: > >``` >%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth >``` > The upstream spec file is fedora/rhel spec files and fedora+rhel have `%{_sysconfdir}/krb5.conf.d/`. I cannot see any problem. >**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the offical FreeIPA configuation settings on all IPA enrolled systems. > But neither debian nor arch linux/opensuse have this directory(or any other) included by default in `/etc/krb5.conf`. I would like to see standard directory for krb5 snippet files. But that should be solved in distribution. And just used by freeipa. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289738839 From freeipa-github-notification at redhat.com Tue Mar 28 11:24:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 13:24:19 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features MartinBasti commented: """ Works for me, can be pushed when dependencies bumped """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289739858 From freeipa-github-notification at redhat.com Tue Mar 28 11:37:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:37:12 +0200 Subject: [Freeipa-devel] [freeipa PR#649][+pushed] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 11:37:21 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:37:21 +0200 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ master: * 9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e Avoid growing FILE ccaches unnecessarily * fbbeb132bf37f8a03ef2f2184adb11796ab13d8b Handle failed authentication via cookie * e07aefb886096a7d419a4f1a2dec287e5ecd1626 Work around issues fetching session data * d63326632b796a5ec9c6468c5ffe0c5a846501e1 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742598 From freeipa-github-notification at redhat.com Tue Mar 28 11:37:25 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:37:25 +0200 Subject: [Freeipa-devel] [freeipa PR#649][closed] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 From freeipa-github-notification at redhat.com Tue Mar 28 11:37:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 13:37:46 +0200 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes tomaskrizek commented: """ @simo5 Please rebase for `ipa-4-5`. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289742723 From freeipa-github-notification at redhat.com Tue Mar 28 11:41:15 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 13:41:15 +0200 Subject: [Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-643.patch Type: text/x-diff Size: 1742 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 11:57:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 13:57:00 +0200 Subject: [Freeipa-devel] [freeipa PR#663][opened] Generate PIN for PKI to help Dogtag in FIPS Message-ID: URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: opened PR body: """ Dogtag is currently unable to generate a PIN it could use for an NSS database creation in FIPS. Generate it for them so that we don't fail. https://pagure.io/freeipa/issue/6824 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-663.patch Type: text/x-diff Size: 2470 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 12:00:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 14:00:30 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists tiran commented: """ **Practicality beats purity** Let's define ```/etc/krb5.conf.d``` as part of our API and don't waste more time on shaving yet another yak. @tjaalton (Debian/Ubuntu maintainer) said > fine by me """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289747474 From freeipa-github-notification at redhat.com Tue Mar 28 12:23:58 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 14:23:58 +0200 Subject: [Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 12:26:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 14:26:11 +0200 Subject: [Freeipa-devel] [freeipa PR#517][synchronized] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 7608 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 12:26:44 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 14:26:44 +0200 Subject: [Freeipa-devel] [freeipa PR#643][+pushed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 12:26:47 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 14:26:47 +0200 Subject: [Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ ipa-4-5: * aa24ed88006925e6d7e44567b087364b0116db9c spec file: Bump requires to make Certificate Login in WebUI work master: * 27d13d90fe9b06618c88bc20b7d6540e6b4d367f spec file: Bump requires to make Certificate Login in WebUI work """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289753377 From freeipa-github-notification at redhat.com Tue Mar 28 12:26:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 14:26:51 +0200 Subject: [Freeipa-devel] [freeipa PR#643][closed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 From freeipa-github-notification at redhat.com Tue Mar 28 12:44:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 14:44:32 +0200 Subject: [Freeipa-devel] [freeipa PR#517][+ack] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 12:45:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 14:45:39 +0200 Subject: [Freeipa-devel] [freeipa PR#623][synchronized] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-623.patch Type: text/x-diff Size: 9257 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 12:58:26 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 28 Mar 2017 14:58:26 +0200 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Should I make a new PR for 4.5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761195 From bishopbm1 at gmail.com Tue Mar 28 13:00:12 2017 From: bishopbm1 at gmail.com (Bradley Bishop) Date: Tue, 28 Mar 2017 09:00:12 -0400 Subject: [Freeipa-devel] Issue with clients Message-ID: Hello, I am new to this community and have a FreeIPA server install that is trusted to AD using AD dns. I am having problems getting my clients to work properly. Everything seems to install properly the first time i try it but i get the following logs after that: (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'homeipa01.brad.local' as 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7efdeeccb150], connected[1], ops[(nil)], ldap[0x7efdeecf6730], destructor_lock[0], release_memory[0] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 0 for server 'homeipa01.brad.local' is 'not working' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Going offline! (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 73 seconds from now [1490682941] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_subdomains_refresh_connect_done] (0x0080): No IPA server is available, cannot get the subdomain list while offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Subdomains Refresh]: scheduling task 14400 seconds from now [1490697268] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #2 (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [ipa_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from now [1490704468] (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_disable] (0x0400): Task [Subdomains Refresh]: disabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_disable] (0x0400): Task [SUDO Smart Refresh]: disabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [be_ptask_disable] (0x0400): Task [SUDO Full Refresh]: disabling task (Tue Mar 28 02:34:28 2017) [sssd[be[ipa.brad.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.IPA.BRAD.LOCAL], [2][No such file or directory] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_ptask_execute] (0x0400): Back end is offline (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_ptask_execute] (0x0400): Task [Check if online (periodic)]: executing task, timeout 60 seconds (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [check_if_online] (0x2000): Trying to go back online! (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_reset_services] (0x1000): Resetting all servers in all services (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_server_common_status] (0x0100): Marking server 'homeipa01.brad.local' as 'name not resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'homeipa01.brad.local' as 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'homeipa01.brad.local' as 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_server_common_status] (0x0100): Marking server 'homeipa01.brad.local' as 'name not resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'homeipa01.brad.local' as 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'homeipa01.brad.local' as 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [dp_attach_req] (0x0400): DP Request [Online Check #8]: New request. Flags [0000]. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name not resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'homeipa01.brad.local' is 'neutral' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain ipa.brad.local (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'ipa.brad.local' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ipa.brad.local' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_ptask_done] (0x0400): Task [Check if online (periodic)]: finished successfully (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 67 seconds from last execution time [1490683008] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_getsrv_done] (0x1000): Using TTL [3600] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_discover_srv_done] (0x0400): Got 1 servers (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'homeipa01.brad.local:389' to service 'IPA' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name not resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_is_address] (0x4000): [homeipa01.brad.local] does not look like an IP address (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'homeipa01.brad.local' in files (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_server_common_status] (0x0100): Marking server 'homeipa01.brad.local' as 'resolving name' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'homeipa01.brad.local' in files (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'homeipa01.brad.local' in DNS (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_server_common_status] (0x0100): Marking server 'homeipa01.brad.local' as 'name resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_process] (0x0200): Found address for server homeipa01.brad.local: [11.10.10.17] TTL 3600 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://homeipa01.brad.local' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_ir439Z] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_ir439Z] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [21] for the connection. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://homeipa01.brad.local:389/??base] with fd [21]. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_print_server] (0x2000): Searching 11.10.10.17:389 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7efdeecce630], connected[1], ops[0x7efdeecff7a0], ldap[0x7efdeecae060] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [changeLog] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [firstchangenumber] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastchangenumber] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipatopologypluginversion] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipatopologyismanaged] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaDomainLevel] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedFeatures] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastUSN] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7efdeecce630], connected[1], ops[0x7efdeecff7a0], ldap[0x7efdeecae060] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 26095 (int: 26095) (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/bradltest01.brad.local, IPA.BRAD.LOCAL, 86400) (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [get_server_status] (0x1000): Status of server 'homeipa01.brad.local' is 'name resolved' (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [be_resolve_server_process] (0x0200): Found address for server homeipa01.brad.local: [11.10.10.17] TTL 3600 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 65 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [11463] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [11463] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7efdeecce630], connected[1], ops[(nil)], ldap[0x7efdeecae060] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [child_sig_handler] (0x1000): Waiting for child [11463]. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [child_sig_handler] (0x0100): child [11463] finished successfully. (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.BRAD.LOCAL], expired on [1490769341] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1490683841 (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest01.brad.local (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Mar 28 02:35:41 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database)] If i uninstall and try to install again i get the following error: /usr/sbin/ipa-client-install was invoked with options: {'domain': 'ipa.brad.local', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': True, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': True, 'debug': True, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': False} missing options might be asked for interactively later IPA version 4.4.0-14.el7.centos.6 [IPA Discovery] Starting IPA discovery with domain=ipa.brad.local, servers=None, hostname=bradltest01.brad.local Search for LDAP SRV record in ipa.brad.local Search DNS for SRV record of _ldap._tcp.ipa.brad.local DNS record found: 0 100 389 homeipa01.brad.local. [Kerberos realm search] Search DNS for TXT record of _kerberos.ipa.brad.local DNS record not found: NXDOMAIN Search DNS for SRV record of _kerberos._udp.ipa.brad.local DNS record found: 0 100 88 homeipa01.brad.local. [LDAP server check] Verifying that homeipa01.brad.local (realm None) is an IPA server Init LDAP connection to: homeipa01.brad.local Search LDAP server for IPA base DN Check if naming context 'dc=ipa,dc=brad,dc=local' is for IPA Naming context 'dc=ipa,dc=brad,dc=local' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=ipa,dc=brad,dc=local (sub) Found: cn=IPA.BRAD.LOCAL,cn=kerberos,dc=ipa,dc=brad,dc=local Discovery result: Success; server=homeipa01.brad.local, domain=ipa.brad.local, kdc=homeipa01.brad.local, basedn=dc=ipa,dc=brad,dc=local Validated servers: homeipa01.brad.local will use discovered domain: ipa.brad.local Start searching for LDAP SRV record in "ipa.brad.local" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.ipa.brad.local DNS record found: 0 100 389 homeipa01.brad.local. DNS validated, enabling discovery will use discovered server: homeipa01.brad.local Discovery was successful! will use discovered realm: IPA.BRAD.LOCAL will use discovered basedn: dc=ipa,dc=brad,dc=local Client hostname: bradltest01.brad.local Hostname source: Machine's FQDN Realm: IPA.BRAD.LOCAL Realm source: Discovered from LDAP DNS records in homeipa01.brad.local DNS Domain: ipa.brad.local DNS Domain source: Discovered LDAP SRV records from ipa.brad.local IPA Server: homeipa01.brad.local IPA Server source: Discovered from LDAP DNS records in homeipa01.brad.local BaseDN: dc=ipa,dc=brad,dc=local BaseDN source: From IPA server ldap://homeipa01.brad.local:389 Continue to configure the system with these values? [no]: yes Starting external process args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.BRAD.LOCAL Process finished, return code=5 stdout= stderr=realm not found Skipping synchronizing time with NTP server. Starting external process args=keyctl get_persistent @s 0 Process finished, return code=0 stdout=104729494 stderr= Enabling persistent keyring CCACHE Writing Kerberos configuration to /tmp/tmpsd7Fyb: #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.BRAD.LOCAL dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.BRAD.LOCAL = { kdc = homeipa01.brad.local:88 master_kdc = homeipa01.brad.local:88 admin_server = homeipa01.brad.local:749 kpasswd_server = homeipa01.brad.local:464 default_domain = ipa.brad.local pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.brad.local = IPA.BRAD.LOCAL ipa.brad.local = IPA.BRAD.LOCAL bradltest01.brad.local = IPA.BRAD.LOCAL .brad.local = IPA.BRAD.LOCAL brad.local = IPA.BRAD.LOCAL Initializing principal admin at IPA.BRAD.LOCAL using password Starting external process args=/usr/bin/kinit admin at IPA.BRAD.LOCAL -c /tmp/krbccfpGaQu/ccache Process finished, return code=0 stdout=Password for admin at IPA.BRAD.LOCAL: stderr= trying to retrieve CA cert via LDAP from homeipa01.brad.local get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database) Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database) Unable to download CA cert from LDAP. Do you want to download the CA cert from http://homeipa01.brad.local/ipa/config/ca.crt? (this is INSECURE) [no]: yes Downloading the CA certificate via HTTP, this is INSECURE trying to retrieve CA cert via HTTP from http://homeipa01.brad.local/ipa/config/ca.crt Starting external process args=/usr/bin/curl -o - http://homeipa01.brad.local/ipa/config/ca.crt Process finished, return code=0 stdout=-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIQYau2KCRYq5hGa+sV/gII8zANBgkqhkiG9w0BAQUFADBI MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRicmFkMRkw FwYDVQQDExBicmFkLUhPTUVDQTAxLUNBMB4XDTE3MDEyMTAwMTAzOVoXDTIyMDEy MTAwMjAzOFowSDEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQB GRYEYnJhZDEZMBcGA1UEAxMQYnJhZC1IT01FQ0EwMS1DQTCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAJ8vxTTGRThnp8sYvOPNMs6t/PtfP/Bd5W0JYT/4 zpFE1pL6zHQ7BlyVyxVKg91YaYy/HgLoFQ6FfIaI15SWre5GSGmlZwR3NgRu0PCx EoCOBisSMCiIrSTAPJV745d7hArlPi9faeKpqaBSmsu3OE5uDdSqy2FiNCfUNmv+ oEJHqIk16eg+MvMCMHeOk/7fWrCC3hG+Maalo9u62cyo/xJ+EQa1YSfllPxgGE3r AV/+jKo3vq2LV6sEEYtoNOnTeGxwixhaC6p2Qxq2DD4IYmRPerz8FQiJiWDEuIyL L8jRiF2tKW2CF2OLreVxBSQ56NT5NyPDz2qsnV6Kz9PPaG+NFznG7FFNNaZ9nSaX YqiyHhhIuTdE8LIr7fBbLhW2aYT4Mrj4xRiuzpaAxCn9zoDIgk95XsSpjP/upG2n B2RzwmY/vAigE7XsR3Qr4HNuUQUfqJj+M+lp+OmLiQhXKDEqnM8YAPnJv/TTUlKL Q8dABrL/nAsm7hbIz1CBHQGIU9ScGDgi1xmxGV5VfOd70OqJN1U2TbwL+oHh8kSw 6hBkYniUqHFfedBWTYwjMDUlh2fXco9VDJFV9I8CDUSXi+l6MYuwYYN8xZjEAFj1 bCib7vLrCj6W2rDjzuRF+AJF3nWF/WekyoPk+Y9NI27EgcR587GlFvSA0Iiy38Hk sROtAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud DgQWBBQQ1Sn0uCerKAA+WfPUL0Y6fJ6OxDAQBgkrBgEEAYI3FQEEAwIBADANBgkq hkiG9w0BAQUFAAOCAgEActCFolsyfeyp0AzspbmIiqb7q3/wId/arbX+TsKeR+Pd 8nrUuSTaCASnbjRi069uZ/+CYeZDWuUqnUeOcmsX5iRsdwHztf5F5ON5Qlhsat2y RQyclB8yC52Yv+opCxU5kWgL/j8S0uDfm/XIhIAMwtBim22Wvt/2b82ceWGNdmd5 /PReO7tNO7pDVyAd5Ltren8hIOxfAGNztU/oKz3ph36qKyNYL3lA3UYVMMFKLn4o HzJjObISHBJfS+n+T0yntSMevt/yjbg5a/0t8I63IvsZlMqFJJakZ+Vxr4amtHHS CsS5eGIAvTzTsU5uQ9H59WFbKlUsH39uSESKIvtE5RnPZmfyIxuD+Ol+l9qcikEL E3hp3LoPNx/t75oR+NkMwfBt4pYB0goeYiEt7T0OJKPSlrq3fY2iJW4X0zcaRrFX 1Dm5pZv3KOUcn7vIjATMui6KfNWgmnIUNX2t0mIfwJ84NQhNRvuePgNn1449mUpo DCNgWbhofQD2uLWX0HPQJmrBf0xOlLAMpubVVgVCVp+2qUVWDBq+HkjsqZRphnHk xXE2k8Ze/SUtHzP1DafThtP28991GY70aboIbls7MrZvOGaT5IlCKk65BTqT66/W DYznMTU0p1BAPritw7yBQVQXWh1EBAbT0Zz+fGIzBcxoeGV44tXpWpLZwcwhJo8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGvjCCBKagAwIBAgITHQAAAAnwrIVvC23kXwAAAAAACTANBgkqhkiG9w0BAQUF ADBIMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRicmFk MRkwFwYDVQQDExBicmFkLUhPTUVDQTAxLUNBMB4XDTE3MDMyNTIwNDUzN1oXDTE5 MDMyNTIwNTUzN1owOTEXMBUGA1UEChMOSVBBLkJSQUQuTE9DQUwxHjAcBgNVBAMT FUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKAZxtb8lGt3TPxT2hMY1u+tWb8nMDdewoVcpKh3ejvEN16cnpyb8BM+ nr+pjmtANHZ70X9rhyJI7K4lnYgeurE4+ORt1HBRsBqbYMu3NYRCU6R9mlKtJMbg S6wja3Vp3HmlWhv8eU9g+AH+CALQ5hlJJJTIifUcX79B3ZJdlUSdnWnRkVi48h5P Min9Ek3IAy8JBfPSzzZQkfPBd0iBqvg887Di1wS8QkOaIP1lz0GkxDEbLBbVyXKE PndEIhiSDjMitv3cSuLzdortajSUPGkchsX01DCQQWkj5LLY/uSrq35p/HF55mbA 6o/I4fTNWNe0aXTS0GGdCO8tLljbGfUCAwEAAaOCAq4wggKqMBkGCSsGAQQBgjcU AgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG MB0GA1UdDgQWBBRAxpShbiY7S1phNzVlNnpYo/4DGDAfBgNVHSMEGDAWgBQQ1Sn0 uCerKAA+WfPUL0Y6fJ6OxDCCAQkGA1UdHwSCAQAwgf0wgfqggfeggfSGgbdsZGFw Oi8vL0NOPWJyYWQtSE9NRUNBMDEtQ0EsQ049aG9tZWNhMDEsQ049Q0RQLENOPVB1 YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRp b24sREM9YnJhZCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jh c2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGOGh0dHA6Ly9ob21l Y2EwMS5icmFkLmxvY2FsL0NlcnREYXRhL2JyYWQtSE9NRUNBMDEtQ0EuY3JsMIIB HQYIKwYBBQUHAQEEggEPMIIBCzCBrgYIKwYBBQUHMAKGgaFsZGFwOi8vL0NOPWJy YWQtSE9NRUNBMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YnJhZCxEQz1sb2NhbD9j QUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhv cml0eTBYBggrBgEFBQcwAoZMaHR0cDovL2hvbWVjYTAxLmJyYWQubG9jYWwvQ2Vy dERhdGEvaG9tZWNhMDEuYnJhZC5sb2NhbF9icmFkLUhPTUVDQTAxLUNBLmNydDAN BgkqhkiG9w0BAQUFAAOCAgEANfSlBa5FmsEt6bx4lbPP6EJ2OvKLq8K5SVvrLosa JpiFx6qdN33JeSyKsyRKyfbK6Pigolj9cCZuBpyGdyD64cd7HSPwjH1FFRNbYDCc CvCgpAgRHYejPmuVemp1bRb05ZS8EFsJz18UWRyO4U9GJIXArGJ7ZWumzsfndtm1 qAolNCMusweMytboWt/gjO5FFUn4B7Z8Q+EEi9SxOBGoyHNzZS7ZsBxpq4zvG+oh bBq3QH00lOnfPGlY9M8mYCBkDBsw/6Pp+3ffOOqlCM4ncdBmrsZyiJYprb+zsEKM 1K8H2+l7DNl/f818LG0AUYXM++lKjn5HOq9dvHGCRwngGtn16W6ujxYaiALB5Gxl sQMs5JggGV48cAEjDpxtK5+WZUe1Kpas32sgKr3vCfSTham9/KbOxXiBq2T19h6h /tZUxv7t75EncTYc2KR8/Dd7VvrIbctPatUJvN83yIWnLgzJIWskCN8LRQbD7T3y 9EjdG/7Nv+WDfo7SBeXxtJbcXOHFW4C3CcQTZAsGxfzSHl1WknowtmifoM4tdq0o GPa5+D3p/fmJNz6yhdzTjPRVngwTMJIK2dXTeSQfSKDCHQHp4GHQN0L3eYTmBR0z pjEX1C56uFr4hMSd49cQKMW2FXUld3QIKrpo6SMso8myGe6C52If8BjAhsXGBv1V gr8= -----END CERTIFICATE----- stderr= % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4402 100 4402 0 0 597k 0 --:--:-- --:--:-- --:--:-- 614k Successfully retrieved CA cert Subject: CN=brad-HOMECA01-CA,DC=brad,DC=local Issuer: CN=brad-HOMECA01-CA,DC=brad,DC=local Valid From: Sat Jan 21 00:10:39 2017 UTC Valid Until: Fri Jan 21 00:20:38 2022 UTC Subject: CN=Certificate Authority,O=IPA.BRAD.LOCAL Issuer: CN=brad-HOMECA01-CA,DC=brad,DC=local Valid From: Sat Mar 25 20:45:37 2017 UTC Valid Until: Mon Mar 25 20:55:37 2019 UTC Starting external process args=/usr/sbin/ipa-join -s homeipa01.brad.local -b dc=ipa,dc=brad,dc=local -h bradltest01.brad.local -d Process finished, return code=17 stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n bradltest01.brad.local\r\n \r\n \r\n nsosversion\r\n 3.10.0-514.6.1.el7.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to homeipa01.brad.local port 443 (#0) * Trying 11.10.10.17... * Connected to homeipa01.brad.local (11.10.10.17) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=homeipa01.brad.local,O=IPA.BRAD.LOCAL * start date: Mar 25 21:13:09 2017 GMT * expire date: Mar 25 20:55:37 2019 GMT * common name: homeipa01.brad.local * issuer: CN=Certificate Authority,O=IPA.BRAD.LOCAL > POST /ipa/xml HTTP/1.1 Host: homeipa01.brad.local Accept: */* Content-Type: text/xml User-Agent: ipa-join/4.4.0 Referer: https://homeipa01.brad.local/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.32.5 Curl/7.29.0 Content-Length: 482 * upload completely sent off: 482 out of 482 bytes < HTTP/1.1 401 Unauthorized < Date: Tue, 28 Mar 2017 12:57:48 GMT < Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 * gss_init_sec_context() failed: : Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database < WWW-Authenticate: Negotiate < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Last-Modified: Fri, 03 Mar 2017 00:56:04 GMT < Accept-Ranges: bytes < Content-Length: 1474 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host homeipa01.brad.local left intact HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n bradltest01.brad.local\r\n \r\n \r\n nsosversion\r\n 3.10.0-514.6.1.el7.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to homeipa01.brad.local port 443 (#0) * Trying 11.10.10.17... * Connected to homeipa01.brad.local (11.10.10.17) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=homeipa01.brad.local,O=IPA.BRAD.LOCAL * start date: Mar 25 21:13:09 2017 GMT * expire date: Mar 25 20:55:37 2019 GMT * common name: homeipa01.brad.local * issuer: CN=Certificate Authority,O=IPA.BRAD.LOCAL > POST /ipa/xml HTTP/1.1 Host: homeipa01.brad.local Accept: */* Content-Type: text/xml User-Agent: ipa-join/4.4.0 Referer: https://homeipa01.brad.local/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.32.5 Curl/7.29.0 Content-Length: 482 * upload completely sent off: 482 out of 482 bytes < HTTP/1.1 401 Unauthorized < Date: Tue, 28 Mar 2017 12:57:48 GMT < Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 * gss_init_sec_context() failed: : Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database < WWW-Authenticate: Negotiate < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Last-Modified: Fri, 03 Mar 2017 00:56:04 GMT < Accept-Ranges: bytes < Content-Length: 1474 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host homeipa01.brad.local left intact HTTP response code is 401, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. Kinda at loss on what to try next and where to look so any direction would be much appreciated. Thank you, Bradley Bishop -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Mar 28 13:00:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 15:00:39 +0200 Subject: [Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes MartinBasti commented: """ Yes please """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761754 From freeipa-github-notification at redhat.com Tue Mar 28 13:02:50 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 15:02:50 +0200 Subject: [Freeipa-devel] [freeipa PR#517][+pushed] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 13:03:02 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 15:03:02 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features pvomacka commented: """ ipa-4-5: * 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features master: * f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289762284 From freeipa-github-notification at redhat.com Tue Mar 28 13:03:13 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Mar 2017 15:03:13 +0200 Subject: [Freeipa-devel] [freeipa PR#517][closed] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 From freeipa-github-notification at redhat.com Tue Mar 28 13:12:28 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 15:12:28 +0200 Subject: [Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289764835 From freeipa-github-notification at redhat.com Tue Mar 28 13:12:34 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 15:12:34 +0200 Subject: [Freeipa-devel] [freeipa PR#644][+ack] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 13:40:27 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 28 Mar 2017 15:40:27 +0200 Subject: [Freeipa-devel] [freeipa PR#664][opened] Backport of client session storage patches Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-664.patch Type: text/x-diff Size: 22716 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 13:40:43 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 15:40:43 +0200 Subject: [Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289772910 From freeipa-github-notification at redhat.com Tue Mar 28 13:40:47 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Mar 2017 15:40:47 +0200 Subject: [Freeipa-devel] [freeipa PR#662][+ack] spec file: bump krb5-devel BuildRequires for certauth In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 14:02:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 16:02:10 +0200 Subject: [Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features tiran commented: """ Custodia 0.3.1 also fixes https://github.com/latchset/custodia/issues/135 (KEM requests with whitespace in key name fail). The bug has been reported by @adelton as https://bugzilla.redhat.com/show_bug.cgi?id=1411810 . """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289779539 From freeipa-github-notification at redhat.com Tue Mar 28 14:04:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 16:04:58 +0200 Subject: [Freeipa-devel] [freeipa PR#662][+pushed] spec file: bump krb5-devel BuildRequires for certauth In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 14:05:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 16:05:04 +0200 Subject: [Freeipa-devel] [freeipa PR#662][comment] spec file: bump krb5-devel BuildRequires for certauth In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Title: #662: spec file: bump krb5-devel BuildRequires for certauth HonzaCholasta commented: """ master: * 2dda1acf44dc96e660e81baadee9c3a54bf05eb0 spec file: bump krb5-devel BuildRequires for certauth ipa-4-5: * 2d246000ef2d715fab464b8ef71fdb3731da127e spec file: bump krb5-devel BuildRequires for certauth """ See the full comment at https://github.com/freeipa/freeipa/pull/662#issuecomment-289780434 From freeipa-github-notification at redhat.com Tue Mar 28 14:05:28 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Mar 2017 16:05:28 +0200 Subject: [Freeipa-devel] [freeipa PR#662][closed] spec file: bump krb5-devel BuildRequires for certauth In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/662 Author: HonzaCholasta Title: #662: spec file: bump krb5-devel BuildRequires for certauth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/662/head:pr662 git checkout pr662 From freeipa-github-notification at redhat.com Tue Mar 28 14:51:10 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 16:51:10 +0200 Subject: [Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ Thanks for the rebase! """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795319 From freeipa-github-notification at redhat.com Tue Mar 28 14:51:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 16:51:14 +0200 Subject: [Freeipa-devel] [freeipa PR#664][+ack] Backport of client session storage patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 14:53:01 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 16:53:01 +0200 Subject: [Freeipa-devel] [freeipa PR#664][+pushed] Backport of client session storage patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 14:53:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 16:53:06 +0200 Subject: [Freeipa-devel] [freeipa PR#664][comment] Backport of client session storage patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Title: #664: Backport of client session storage patches tomaskrizek commented: """ ipa-4-5: * f1d731a79c384c7406c52232ff291644137e100b Python 3: Fix session storage * ba828a53a4736ed326d95e30856daba2c060439c Avoid growing FILE ccaches unnecessarily * f41c9f476d678f9ecc4ca3338c7a58de0182f76f Handle failed authentication via cookie * 0912185b18599414e4f9302b1a80c6c7e9876821 Work around issues fetching session data * e94575f3466bbb8d4959ad0a1c436dcf745e3036 Prevent churn on ccaches """ See the full comment at https://github.com/freeipa/freeipa/pull/664#issuecomment-289795974 From freeipa-github-notification at redhat.com Tue Mar 28 14:53:10 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 16:53:10 +0200 Subject: [Freeipa-devel] [freeipa PR#664][closed] Backport of client session storage patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 From freeipa-github-notification at redhat.com Tue Mar 28 15:04:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:04:43 +0200 Subject: [Freeipa-devel] [freeipa PR#663][+ack] Generate PIN for PKI to help Dogtag in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +ack From freeipa-github-notification at redhat.com Tue Mar 28 15:07:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:07:56 +0200 Subject: [Freeipa-devel] [freeipa PR#663][+pushed] Generate PIN for PKI to help Dogtag in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 15:08:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:08:00 +0200 Subject: [Freeipa-devel] [freeipa PR#663][comment] Generate PIN for PKI to help Dogtag in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/663 Title: #663: Generate PIN for PKI to help Dogtag in FIPS tomaskrizek commented: """ ipa-4-5: * 39eac72faef5f44c9fb2cad943ad58d23fe60cf3 Generate PIN for PKI to help Dogtag in FIPS master: * e204d030fc4154800acb0b2b312188e72dd80f80 Generate PIN for PKI to help Dogtag in FIPS """ See the full comment at https://github.com/freeipa/freeipa/pull/663#issuecomment-289800871 From freeipa-github-notification at redhat.com Tue Mar 28 15:08:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:08:05 +0200 Subject: [Freeipa-devel] [freeipa PR#663][closed] Generate PIN for PKI to help Dogtag in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663 From freeipa-github-notification at redhat.com Tue Mar 28 15:11:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:11:33 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5B+pushed=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 15:11:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:11:36 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bcomment=5D_htt?= =?utf-8?q?pinstance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? tomaskrizek commented: """ ipa-4-5: * 2a499551ca5ddf2596cc19a77f47c34e9f5c10c5 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available master: * 0128e805e591bc8ca5cea99739ad4cd7478df0b4 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available """ See the full comment at https://github.com/freeipa/freeipa/pull/655#issuecomment-289802039 From freeipa-github-notification at redhat.com Tue Mar 28 15:11:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 17:11:40 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23655=5D=5Bclosed=5D_http?= =?utf-8?q?instance=2Edisable=5Fsystem=5Ftrust=3A_Don=27t_fail_if_module_?= =?utf-8?b?J1Jvb3QgQ2VydHMnIOKApg==?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/655 Author: dkupka Title: #655: httpinstance.disable_system_trust: Don't fail if module 'Root Certs' ? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/655/head:pr655 git checkout pr655 From freeipa-github-notification at redhat.com Tue Mar 28 15:24:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 17:24:49 +0200 Subject: [Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 10823 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:27:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Mar 2017 17:27:09 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification stlaz commented: """ I tried to use the wonderful github tool to resolve conflicts to make this more review-friendly but I guess it kind of missed the magic, it's ready for review anyway, please, finish it. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289807247 From freeipa-github-notification at redhat.com Tue Mar 28 15:34:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Mar 2017 17:34:59 +0200 Subject: [Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-631.patch Type: text/x-diff Size: 4696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:39:42 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 28 Mar 2017 17:39:42 +0200 Subject: [Freeipa-devel] [freeipa PR#658][synchronized] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Author: Akasurde Title: #658: Hide PKI Client database password in log file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/658/head:pr658 git checkout pr658 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-658.patch Type: text/x-diff Size: 2552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:47:31 2017 From: freeipa-github-notification at redhat.com (fidencio) Date: Tue, 28 Mar 2017 17:47:31 +0200 Subject: [Freeipa-devel] [freeipa PR#665][opened] Allow erasing ipaDomainResolutionOrder attribute Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: opened PR body: """ Currently when trying to erase the ipaDomainResolutionOrder attribute we hit an internal error as the split() method is called on a None object. By returning early in case of empty string we now allow removing the ipaDomainResolutionOrder attribute by both doing calling delattr or setting its value to an empty string. https://pagure.io/freeipa/issue/6825 Signed-off-by: Fabiano Fid?ncio """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-665.patch Type: text/x-diff Size: 1855 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:50:55 2017 From: freeipa-github-notification at redhat.com (fidencio) Date: Tue, 28 Mar 2017 17:50:55 +0200 Subject: [Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-665.patch Type: text/x-diff Size: 1523 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:51:32 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Mar 2017 17:51:32 +0200 Subject: [Freeipa-devel] [freeipa PR#666][opened] Fix anonymous principal handling in replica install Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: opened PR body: """ This PR should unblock replica install against <4.5 masters if `--no-pkinit` option is given. Be aware of the non-working WebUI after install, this will be fixed once local PKINIT will be implemented. Requires https://github.com/freeipa/freeipa/pull/631 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-666.patch Type: text/x-diff Size: 9225 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 15:57:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Mar 2017 17:57:34 +0200 Subject: [Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289817220 From freeipa-github-notification at redhat.com Tue Mar 28 16:16:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Mar 2017 18:16:18 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ github magic is bad magic :/ It still shows up as 'conflicting' for me. I'll try to find time to review the issue tomorrow, Thursday latest. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-289822893 From freeipa-github-notification at redhat.com Tue Mar 28 16:18:26 2017 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Tue, 28 Mar 2017 18:18:26 +0200 Subject: [Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists frozencemetery commented: """ (Note: a standard directory in distributions that freeipa could use would be provided by the krb5 maintainer, not the freeipa maintainer.) """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289823559 From freeipa-github-notification at redhat.com Tue Mar 28 16:19:18 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Tue, 28 Mar 2017 18:19:18 +0200 Subject: [Freeipa-devel] [freeipa PR#644][synchronized] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-644.patch Type: text/x-diff Size: 10261 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 16:22:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 18:22:34 +0200 Subject: [Freeipa-devel] [freeipa PR#644][+pushed] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request Label: +pushed From freeipa-github-notification at redhat.com Tue Mar 28 16:22:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 18:22:43 +0200 Subject: [Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request tomaskrizek commented: """ master: * ee455f163d756a6b71db8e999365139cad46c6ad extdom: do reverse search for domain separator * 8960398a57f69c124ec3105289dc355baa0d5b09 extdom: improve cert request ipa-4-5: * 8046f9baab1e93b8b8e11d05088c8cdabdd47281 extdom: do reverse search for domain separator * a510a3d7e9f37e89acee84bed2363cb7f57fe88e extdom: improve cert request """ See the full comment at https://github.com/freeipa/freeipa/pull/644#issuecomment-289824801 From freeipa-github-notification at redhat.com Tue Mar 28 16:22:45 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 28 Mar 2017 18:22:45 +0200 Subject: [Freeipa-devel] [freeipa PR#644][closed] extdom: improve certificate request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/644 Author: sumit-bose Title: #644: extdom: improve certificate request Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/644/head:pr644 git checkout pr644 From freeipa-github-notification at redhat.com Tue Mar 28 16:40:19 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Mar 2017 18:40:19 +0200 Subject: [Freeipa-devel] [freeipa PR#667][opened] idrange-mod: properly handle empty --dom-name option Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: opened PR body: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-667.patch Type: text/x-diff Size: 1295 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 18:25:28 2017 From: freeipa-github-notification at redhat.com (fidencio) Date: Tue, 28 Mar 2017 20:25:28 +0200 Subject: [Freeipa-devel] [freeipa PR#665][synchronized] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-665.patch Type: text/x-diff Size: 1517 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 18:26:07 2017 From: freeipa-github-notification at redhat.com (fidencio) Date: Tue, 28 Mar 2017 20:26:07 +0200 Subject: [Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute fidencio commented: """ I have updated the commit message as I found a typo there: "both doing calling delattr or" -> "both calling delattr or" """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-289861109 From freeipa-github-notification at redhat.com Tue Mar 28 20:14:50 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Mar 2017 22:14:50 +0200 Subject: [Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-632.patch Type: text/x-diff Size: 3279 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Mar 28 20:15:34 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Mar 2017 22:15:34 +0200 Subject: [Freeipa-devel] [freeipa PR#632][edited] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: edited Changed field: body Original value: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ From freeipa-github-notification at redhat.com Tue Mar 28 20:16:43 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Mar 2017 22:16:43 +0200 Subject: [Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ I updated the commit message with a different issue number, related to the "Failed to find a unix account" message. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-289891045 From freeipa-github-notification at redhat.com Wed Mar 29 03:54:42 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 05:54:42 +0200 Subject: [Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 11614 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 06:04:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 08:04:12 +0200 Subject: [Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 10779 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:19:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 09:19:02 +0200 Subject: [Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-640.patch Type: text/x-diff Size: 9298 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:22:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 09:22:17 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 From freeipa-github-notification at redhat.com Wed Mar 29 07:22:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 09:22:57 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 From freeipa-github-notification at redhat.com Wed Mar 29 07:24:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 09:24:39 +0200 Subject: [Freeipa-devel] [freeipa PR#668][opened] spec file: bump libsss_nss_idmap-devel BuildRequires Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: opened PR body: """ Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6826 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-668.patch Type: text/x-diff Size: 1165 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:32:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 09:32:09 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ Do we also need to bump the version in `PKG_CHECK_MODULES` in `server.m4:31`? ``` PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290007481 From freeipa-github-notification at redhat.com Wed Mar 29 07:42:13 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 09:42:13 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ No, It will make downstream harder because RHEL downstream will only have 1.15.2 with patches on top of that version. I have a pull request coming that actually checks for a specific function we know is part of those SSSD patches. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290009593 From freeipa-github-notification at redhat.com Wed Mar 29 07:44:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 09:44:18 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 5909 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:44:44 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 09:44:44 +0200 Subject: [Freeipa-devel] [freeipa PR#669][opened] server: make sure we test for sss_nss_getlistbycert Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6828 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-669.patch Type: text/x-diff Size: 961 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:45:04 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 09:45:04 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ I submitted https://github.com/freeipa/freeipa/pull/669 for that """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290010251 From freeipa-github-notification at redhat.com Wed Mar 29 07:46:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 09:46:08 +0200 Subject: [Freeipa-devel] [freeipa PR#670][opened] [Py3] session storage parameters must be bytes Message-ID: URL: https://github.com/freeipa/freeipa/pull/670 Author: tiran Title: #670: [Py3] session storage parameters must be bytes Action: opened PR body: """ Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/670/head:pr670 git checkout pr670 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-670.patch Type: text/x-diff Size: 968 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:50:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 09:50:50 +0200 Subject: [Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tiran commented: """ AC_CHECK_LIB only checks for functions in libs. Compilation may still fail if header files and library are not in sync. IMHO we don't have to care about this broken case. LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290011518 From freeipa-github-notification at redhat.com Wed Mar 29 07:52:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 09:52:56 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ We still want to merge this PR to take care of the upstream BuildRequires though, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290012044 From freeipa-github-notification at redhat.com Wed Mar 29 07:56:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 09:56:15 +0200 Subject: [Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-640.patch Type: text/x-diff Size: 9960 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 07:56:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 09:56:50 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Pushed a cleaner version of the previous changes, thanks @HonzaCholasta for the suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290012934 From freeipa-github-notification at redhat.com Wed Mar 29 07:57:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 09:57:15 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 6886 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 08:01:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 10:01:58 +0200 Subject: [Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file stlaz commented: """ Works well, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-290014081 From freeipa-github-notification at redhat.com Wed Mar 29 08:02:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 10:02:01 +0200 Subject: [Freeipa-devel] [freeipa PR#658][+ack] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file Label: +ack From freeipa-github-notification at redhat.com Wed Mar 29 08:07:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 10:07:31 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Right. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290015269 From freeipa-github-notification at redhat.com Wed Mar 29 08:11:15 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 10:11:15 +0200 Subject: [Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert abbra commented: """ On the systems where pkg-config is available, positive result from pkg-config check means headers are available because pkg-config files are part of development sub-packages. Symbol check in a library is enough then. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290016098 From freeipa-github-notification at redhat.com Wed Mar 29 08:26:01 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:26:01 +0200 Subject: [Freeipa-devel] [freeipa PR#668][+ack] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +ack From freeipa-github-notification at redhat.com Wed Mar 29 08:26:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:26:14 +0200 Subject: [Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290019629 From freeipa-github-notification at redhat.com Wed Mar 29 08:26:19 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:26:19 +0200 Subject: [Freeipa-devel] [freeipa PR#669][+ack] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +ack From freeipa-github-notification at redhat.com Wed Mar 29 08:30:18 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 10:30:18 +0200 Subject: [Freeipa-devel] [freeipa PR#668][synchronized] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-668.patch Type: text/x-diff Size: 1165 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 08:30:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 10:30:30 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Changed ticket link to https://pagure.io/freeipa/issue/6828. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290020664 From freeipa-github-notification at redhat.com Wed Mar 29 08:34:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:34:20 +0200 Subject: [Freeipa-devel] [freeipa PR#668][+pushed] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 29 08:34:28 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:34:28 +0200 Subject: [Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ master: * b18ee8b9dd3b1d0cfdc45373a7a56747e1f993a3 spec file: bump libsss_nss_idmap-devel BuildRequires ipa-4-5: * 127f7ce699677d8c689099eac350a54293a5009d spec file: bump libsss_nss_idmap-devel BuildRequires """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290021579 From freeipa-github-notification at redhat.com Wed Mar 29 08:34:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:34:34 +0200 Subject: [Freeipa-devel] [freeipa PR#668][closed] spec file: bump libsss_nss_idmap-devel BuildRequires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 From freeipa-github-notification at redhat.com Wed Mar 29 08:35:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:35:51 +0200 Subject: [Freeipa-devel] [freeipa PR#669][+pushed] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +pushed From freeipa-github-notification at redhat.com Wed Mar 29 08:35:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:35:54 +0200 Subject: [Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ master: * 67e5244cad72bef76de1c4df47a0c77a672fa861 server: make sure we test for sss_nss_getlistbycert ipa-4-5: * 8be6987da72dff0ebd4e02c946b45b5b1705d880 server: make sure we test for sss_nss_getlistbycert """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290022005 From freeipa-github-notification at redhat.com Wed Mar 29 08:35:57 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:35:57 +0200 Subject: [Freeipa-devel] [freeipa PR#669][closed] server: make sure we test for sss_nss_getlistbycert In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 From bind-dyndb-ldap-github-notification at redhat.com Wed Mar 29 08:50:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:50:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][opened] Coverity: fix REVERSE_INULL for pevent->inst Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Author: tomaskrizek Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Action: opened PR body: """ With the DynDB API changes, the ldap instance is acquired differently. Previously, obtaining the instance could fail when LDAP was disconnecting, thus the NULL check was necessary in the cleanup part. Now, inst is obtained directly from the API. I'm not sure what is the exact behaviour in edge cases such as LDAP disconnecting, so I perform the NULL check a bit earlier, just to be safe. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/11/head:pr11 git checkout pr11 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-11.patch Type: text/x-diff Size: 3794 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Wed Mar 29 08:54:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 10:54:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst tomaskrizek commented: """ @pemensik Hi, could you take a quick look at this change? I ran coverity and the issues were fixed. It might also be possible to remove the REQUIRE, but since I'm not sure whether `inst` is always non null in the new dyndb workflow, I added the check just to be sure. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-290026409 From freeipa-github-notification at redhat.com Wed Mar 29 09:24:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 11:24:50 +0200 Subject: [Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: edited Changed field: body Original value: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 """ From freeipa-github-notification at redhat.com Wed Mar 29 09:24:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 11:24:54 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ Depends on PRs #475, #587, #594 """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-286665946 From freeipa-github-notification at redhat.com Wed Mar 29 09:26:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 11:26:30 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ All dependencies have been merged. PR is ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325 From freeipa-github-notification at redhat.com Wed Mar 29 09:31:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 11:31:25 +0200 Subject: [Freeipa-devel] [freeipa PR#671][opened] [WIP] Slim down dependencies Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: [WIP] Slim down dependencies Action: opened PR body: """ * Remove unused install requires * Correct dependencies for yubico otptoken * Properly report optional dependency for yubico otptoken * Make jinja2 an optional dependency and csrgen an optional plugin Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 3257 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 10:36:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 12:36:10 +0200 Subject: [Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins tiran commented: """ I don't understand the implications of this change and the new flag: * What are the benefits and drawbacks of ```force_client_compat=False```? * What are the benefits and drawbacks of ```force_client_compat=True```? * Why does FreeIPA have schema download and compat plugins at all? * Why is this feature implemented as *either/or* option instead of *optimistic try/fallback*? New feature is missing unit and integration tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290051095 From bind-dyndb-ldap-github-notification at redhat.com Wed Mar 29 10:36:45 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 12:36:45 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][opened] README.md: fix markdown formatting Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: opened PR body: """ Fix some markdown formatting errors to properly render it on pagure. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-12.patch Type: text/x-diff Size: 42082 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 10:40:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 29 Mar 2017 12:40:50 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @MartinBasti WebUI not working in DL0/--no-pkinit is beyond the scope of this PR. I am working on fixing that in a separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290052050 From bind-dyndb-ldap-github-notification at redhat.com Wed Mar 29 10:45:20 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 29 Mar 2017 12:45:20 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][synchronized] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-12.patch Type: text/x-diff Size: 7592 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 11:51:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 13:51:02 +0200 Subject: [Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins HonzaCholasta commented: """ * With `force_client_compat=False`, the benefit is the client API matches the remote server API, the drawback is `api.finalize()` does RPC calls and touches schema cache (i.e. the current behavior). * With `force_client_compat=True`, the benefit is `api.finalize()` does no RPC calls nor does it touch schema cache, the drawback is that the client API is stuck at API version 2.164 (IPA 4.3.3). * Schema download exists to support newer servers versions without having to update the client. Compat plugins exist to support older server versions which do not have schema support. (See http://www.freeipa.org/page/V4/API_Compatiblity.) * *Optimistic try/fallback* is the current behavior which requires RPC calls in `api.finalize()` to detect the server's capabilities in order to reconstruct it's API locally. With this PR it's possible to skip this step and fall back to the behavior of IPA 4.3.3. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290066211 From freeipa-github-notification at redhat.com Wed Mar 29 13:12:17 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 15:12:17 +0200 Subject: [Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 11410 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 13:15:28 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 15:15:28 +0200 Subject: [Freeipa-devel] [freeipa PR#621][edited] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: edited Changed field: title Original value: """ Add --force-password-reset to user_mod in user.py """ From freeipa-github-notification at redhat.com Wed Mar 29 13:17:46 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 15:17:46 +0200 Subject: [Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-629.patch Type: text/x-diff Size: 2905 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 13:18:30 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 15:18:30 +0200 Subject: [Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration abbra commented: """ Removed backslashes and also moved the check to be the first step when creating an instance. """ See the full comment at https://github.com/freeipa/freeipa/pull/629#issuecomment-290086797 From freeipa-github-notification at redhat.com Wed Mar 29 13:19:01 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 15:19:01 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta used `datetime.utcnow()` as I couldn't find a reference for `datetime.utctime()` """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290086917 From freeipa-github-notification at redhat.com Wed Mar 29 13:22:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 15:22:33 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ @redhatrises, `datetime.utcnow()` is what I meant. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290087879 From freeipa-github-notification at redhat.com Wed Mar 29 13:24:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 15:24:30 +0200 Subject: [Freeipa-devel] [freeipa PR#666][comment] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install stlaz commented: """ I actually did the review of https://github.com/freeipa/freeipa/pull/631 alongside this. I do not think the order of adding the anonymous principal and setting up PKINIT matters that much. From what I saw in Kerberos guides, it's usually actually done after PKINIT setup since until then, the anonymous principal is pretty much unusable. The problem was rather the testing of anonymous pkinit before the anonymous principal was added, that is just plainly weird and I'm glad that that's now fixed. ACK since this fixes the issues mentioned in comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/666#issuecomment-290088490 From freeipa-github-notification at redhat.com Wed Mar 29 13:25:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 15:25:29 +0200 Subject: [Freeipa-devel] [freeipa PR#666][+ack] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install Label: +ack From freeipa-github-notification at redhat.com Wed Mar 29 13:25:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 29 Mar 2017 15:25:44 +0200 Subject: [Freeipa-devel] [freeipa PR#631][+ack] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal Label: +ack From bishopbm1 at gmail.com Wed Mar 29 13:26:54 2017 From: bishopbm1 at gmail.com (Bradley Bishop) Date: Wed, 29 Mar 2017 09:26:54 -0400 Subject: [Freeipa-devel] Issue connecting through Clients Message-ID: Hello all, I have an IPA setup with AD and DNS resides on AD and am having issues authenticating with my clients. Getting the Following error on my Clients: (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/BRAD.LOCAL at IPA.BRAD.LOCAL not found in Kerberos database)] I don't think it is DNS because i can resolve both the IPA server and the client [root at bradltest3 ~]# host homeipa01.brad.local homeipa01.brad.local has address 11.10.10.17 [root at bradltest3 ~]# host 11.10.10.17 17.10.10.11.in-addr.arpa domain name pointer ipa-ca.ipa.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.ipa.brad.local. [root at bradltest3 ~]# host bradltest3.brad.local bradltest3.brad.local has address 11.10.10.24 [root at bradltest3 ~]# host 11.10.10.24 24.10.10.11.in-addr.arpa domain name pointer bradltest3.brad.local. I am at a loss on where to look next and any help or direction would be much appreciated. Thank you all in advance, Bradley Bishop -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Mar 29 13:28:07 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 15:28:07 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ > @redhatrises, datetime.utcnow() is what I meant. Oh good. Ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290089437 From freeipa-github-notification at redhat.com Wed Mar 29 13:59:27 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 29 Mar 2017 15:59:27 +0200 Subject: [Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-629.patch Type: text/x-diff Size: 2996 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 14:34:00 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Wed, 29 Mar 2017 16:34:00 +0200 Subject: [Freeipa-devel] [freeipa PR#672][opened] IPA-KDB: use relative path in ipa-certmap config snippet Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: opened PR body: """ Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-672.patch Type: text/x-diff Size: 2104 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 14:48:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 29 Mar 2017 16:48:54 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ The `admin` user is not allowed to write to the attribute: ``` $ kinit admin Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: $ ipa user-mod jcholast --password-expiration=now ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=jcholast,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'. ``` Please update the "Admin can manage any entry" ACI in `install/updates/20-aci.update`. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290114123 From freeipa-github-notification at redhat.com Wed Mar 29 15:13:04 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 17:13:04 +0200 Subject: [Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 13705 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 15:14:53 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 29 Mar 2017 17:14:53 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta updated "Admins can write passwords" ACI to contain 'krbPasswordExpiration' as the "Admin can manage any entry" ACI already had 'krbPasswordExpiration' added. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290122377 From freeipa-github-notification at redhat.com Wed Mar 29 15:30:28 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Wed, 29 Mar 2017 17:30:28 +0200 Subject: [Freeipa-devel] [freeipa PR#673][opened] Conf template Message-ID: URL: https://github.com/freeipa/freeipa/pull/673 Author: tjaalton Title: #673: Conf template Action: opened PR body: """ Move conf templates to a common location, make ipa.conf and named.conf portable. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/673/head:pr673 git checkout pr673 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-673.patch Type: text/x-diff Size: 39943 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 16:00:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 18:00:56 +0200 Subject: [Freeipa-devel] [freeipa PR#674][opened] Replace hard-coded kdcproxy path with WSGI script Message-ID: URL: https://github.com/freeipa/freeipa/pull/674 Author: tiran Title: #674: Replace hard-coded kdcproxy path with WSGI script Action: opened PR body: """ mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/674/head:pr674 git checkout pr674 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-674.patch Type: text/x-diff Size: 2617 bytes Desc: not available URL: From abokovoy at redhat.com Wed Mar 29 16:55:14 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 29 Mar 2017 19:55:14 +0300 Subject: [Freeipa-devel] Issue connecting through Clients In-Reply-To: References: Message-ID: <20170329165514.v77okj6zbwo4gpnc@redhat.com> On ke, 29 maalis 2017, Bradley Bishop wrote: >Hello all, > >I have an IPA setup with AD and DNS resides on AD and am having issues >authenticating with my clients. > >Getting the Following error on my Clients: > >(Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] >(0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local Your IPA domain is ipa.brad.local, your host name is bradltest3.brad.local, e.g. it is not in IPA domain. It looks like your IPA client machine is in the AD DNS domain. You should read http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ and http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain to understand what nightmare you are inflicting yourself into. ;) -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Mar 29 17:06:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 29 Mar 2017 19:06:25 +0200 Subject: [Freeipa-devel] [freeipa PR#675][opened] [WIP] Fix PKCS11 helper Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: opened PR body: """ Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 7519 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Mar 29 17:23:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 29 Mar 2017 19:23:11 +0200 Subject: [Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 8640 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Wed Mar 29 17:28:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Wed, 29 Mar 2017 19:28:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][comment] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting MartinBasti commented: """ ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/12#issuecomment-290162668 From freeipa-github-notification at redhat.com Wed Mar 29 17:35:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 29 Mar 2017 19:35:27 +0200 Subject: [Freeipa-devel] [freeipa PR#636][+ack] [Py3] Fix ipatests.util doc tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/636 Title: #636: [Py3] Fix ipatests.util doc tests Label: +ack From freeipa-github-notification at redhat.com Wed Mar 29 19:47:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 29 Mar 2017 21:47:06 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ Your PR is going to remove the last import from python-nss. Awesome! Please remove the requirement from ```ipapython/setup.py``` and ```freeipa.spec.in```, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290204064 From freeipa-github-notification at redhat.com Thu Mar 30 02:35:32 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 30 Mar 2017 04:35:32 +0200 Subject: [Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 14065 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 03:07:21 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 30 Mar 2017 05:07:21 +0200 Subject: [Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Akasurde commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290289355 From freeipa-github-notification at redhat.com Thu Mar 30 06:15:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 30 Mar 2017 08:15:59 +0200 Subject: [Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet tiran commented: """ LGTM For the recording: according to https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#plugins the plugin directive uses ```plugin_base_dir``` as base dir: > module > This tag may have multiple values. Each value is a string of the form modulename:pathname, which causes the shared object located at pathname to be registered as a dynamic module named modulename for the pluggable interface. If pathname is not an absolute path, it will be treated as relative to the plugin_base_dir value from [libdefaults]. > plugin_base_dir > If set, determines the base directory where krb5 plugins are located. The default value is the krb5/plugins subdirectory of the krb5 library directory. @sumit-bose What happens when the shared library is missing? Does 32bit kinit fail or work on a X86_64 system when 32bit ipadb.so is missing? """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290312805 From freeipa-github-notification at redhat.com Thu Mar 30 06:45:58 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 30 Mar 2017 08:45:58 +0200 Subject: [Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet abbra commented: """ > @sumit-bose What happens when the shared library is missing? Does 32bit kinit fail or work on a X86_64 system when 32bit ipadb.so is missing? It is not about kinit. The module is for KDC, not client side. We guarantee it exists because we install it. """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290317784 From freeipa-github-notification at redhat.com Thu Mar 30 06:52:56 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 30 Mar 2017 08:52:56 +0200 Subject: [Freeipa-devel] [freeipa PR#673][synchronized] Conf template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/673 Author: tjaalton Title: #673: Conf template Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/673/head:pr673 git checkout pr673 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-673.patch Type: text/x-diff Size: 39933 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 07:38:54 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 30 Mar 2017 09:38:54 +0200 Subject: [Freeipa-devel] [freeipa PR#673][synchronized] Conf template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/673 Author: tjaalton Title: #673: Conf template Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/673/head:pr673 git checkout pr673 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-673.patch Type: text/x-diff Size: 40179 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 07:59:04 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 30 Mar 2017 09:59:04 +0200 Subject: [Freeipa-devel] [freeipa PR#676][opened] Use with statement for opening file Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Author: Akasurde Title: #676: Use with statement for opening file Action: opened PR body: """ Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/676/head:pr676 git checkout pr676 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-676.patch Type: text/x-diff Size: 3325 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 08:17:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 10:17:09 +0200 Subject: [Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 9537 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 08:29:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 10:29:08 +0200 Subject: [Freeipa-devel] [freeipa PR#676][comment] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Title: #676: Use with statement for opening file MartinBasti commented: """ LGTM, let's wait for travis """ See the full comment at https://github.com/freeipa/freeipa/pull/676#issuecomment-290339708 From freeipa-github-notification at redhat.com Thu Mar 30 08:46:55 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 30 Mar 2017 10:46:55 +0200 Subject: [Freeipa-devel] [freeipa PR#675][comment] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [WIP] Fix PKCS11 helper stlaz commented: """ `cffi.api.CDefError: cannot parse "typedef CK_RV (*CK_C_GetSlotList) (CK_BBOOL tokenPresent,` -> you're using CK_BBOOL type before defining it. """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-290344169 From freeipa-github-notification at redhat.com Thu Mar 30 08:56:25 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 30 Mar 2017 10:56:25 +0200 Subject: [Freeipa-devel] [freeipa PR#673][comment] Conf template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/673 Title: #673: Conf template tjaalton commented: """ https://pagure.io/freeipa/issue/6837 """ See the full comment at https://github.com/freeipa/freeipa/pull/673#issuecomment-290346617 From freeipa-github-notification at redhat.com Thu Mar 30 08:58:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 30 Mar 2017 10:58:21 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ @redhatrises, the "Admin can manage any entry" ACI in fact contains a blacklist of attributes which admins aren't allowed to write. To actually fix the issue you must also remove `krbPasswordExpiration` from the "Admin can manage any entry" ACI. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290347117 From freeipa-github-notification at redhat.com Thu Mar 30 08:59:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 30 Mar 2017 10:59:20 +0200 Subject: [Freeipa-devel] [freeipa PR#675][comment] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [WIP] Fix PKCS11 helper stlaz commented: """ `cffi.api.CDefError: cannot parse "typedef CK_RV (*CK_C_GetSlotList) (CK_BBOOL tokenPresent,` -> you're using CK_BBOOL type before defining it. """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-290344169 From freeipa-github-notification at redhat.com Thu Mar 30 09:01:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 30 Mar 2017 11:01:06 +0200 Subject: [Freeipa-devel] [freeipa PR#677][opened] cert: defer cert-find result post-processing Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: opened PR body: """ Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches on certificates which won't even be included in the combined result when cert-find is executed with the --all option. https://pagure.io/freeipa/issue/6808 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-677.patch Type: text/x-diff Size: 6670 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 10:00:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 12:00:39 +0200 Subject: [Freeipa-devel] [freeipa PR#676][+ack] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Title: #676: Use with statement for opening file Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 10:08:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 30 Mar 2017 12:08:51 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 7124 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 10:21:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 30 Mar 2017 12:21:56 +0200 Subject: [Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-677.patch Type: text/x-diff Size: 8166 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 10:29:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 30 Mar 2017 12:29:03 +0200 Subject: [Freeipa-devel] [freeipa PR#490][synchronized] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 13836 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 10:37:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 12:37:56 +0200 Subject: [Freeipa-devel] [freeipa PR#629][+ack] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 10:39:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 12:39:40 +0200 Subject: [Freeipa-devel] [freeipa PR#665][+ack] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 11:08:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:08:49 +0200 Subject: [Freeipa-devel] [freeipa PR#676][+pushed] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Title: #676: Use with statement for opening file Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:08:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:08:55 +0200 Subject: [Freeipa-devel] [freeipa PR#676][comment] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Title: #676: Use with statement for opening file MartinBasti commented: """ master: * 6d4c917440793e988b907a62f2f56f5dc82b53dd Use with statement for opening file """ See the full comment at https://github.com/freeipa/freeipa/pull/676#issuecomment-290379294 From freeipa-github-notification at redhat.com Thu Mar 30 11:08:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:08:59 +0200 Subject: [Freeipa-devel] [freeipa PR#676][closed] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Author: Akasurde Title: #676: Use with statement for opening file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/676/head:pr676 git checkout pr676 From freeipa-github-notification at redhat.com Thu Mar 30 11:10:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:10:39 +0200 Subject: [Freeipa-devel] [freeipa PR#631][+pushed] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:10:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:10:42 +0200 Subject: [Freeipa-devel] [freeipa PR#631][comment] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal MartinBasti commented: """ master: * c2d95d3962d525017732618e66b39b099235d43e Upgrade: configure PKINIT after adding anonymous principal * 1fc48cd0af3b19272fcfe25235e55eae249bb6c9 Remove unused variable from failed anonymous PKINIT handling * 17aa51ef0291b9c6174509f52913076ae599357f Split out anonymous PKINIT test to a separate method * 5c22f905d48d3d8dd50e394290e1feb8f6dedcaa Ensure KDC is propery configured after upgrade ipa-4-5: * b9002bf6273151cb480dfba7ffa7480d037984ee Upgrade: configure PKINIT after adding anonymous principal * 4b2b1d33157963a8b3d8229d1edd573dcbb93fb5 Remove unused variable from failed anonymous PKINIT handling * c1393029b6a853cc2cb874f4f93706368627d7c4 Split out anonymous PKINIT test to a separate method * 89fc0a126be67755d4a687b427a6c67b3cbc4337 Ensure KDC is propery configured after upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/631#issuecomment-290379615 From freeipa-github-notification at redhat.com Thu Mar 30 11:10:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:10:45 +0200 Subject: [Freeipa-devel] [freeipa PR#631][closed] Upgrade: configure PKINIT after adding anonymous principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 From freeipa-github-notification at redhat.com Thu Mar 30 11:17:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:17:46 +0200 Subject: [Freeipa-devel] [freeipa PR#629][+pushed] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:17:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:17:49 +0200 Subject: [Freeipa-devel] [freeipa PR#629][closed] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 From freeipa-github-notification at redhat.com Thu Mar 30 11:17:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:17:53 +0200 Subject: [Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration MartinBasti commented: """ master: * 0d817ae63a4ad8ba7a29910a9342a78e15e89593 adtrust: make sure that runtime hostname result is consistent with the configuration ipa-4-5: * e430699024df06e1e6f819824548986eb0fa5fd2 adtrust: make sure that runtime hostname result is consistent with the configuration """ See the full comment at https://github.com/freeipa/freeipa/pull/629#issuecomment-290381044 From freeipa-github-notification at redhat.com Thu Mar 30 11:19:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:19:36 +0200 Subject: [Freeipa-devel] [freeipa PR#665][comment] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute MartinBasti commented: """ master: * e03056cf34de5ba0100d62f008d76e8c851c3ba7 Allow erasing ipaDomainResolutionOrder attribute ipa-4-5: * 08a921cc08b5b841260caa2e45653a704b88542c Allow erasing ipaDomainResolutionOrder attribute """ See the full comment at https://github.com/freeipa/freeipa/pull/665#issuecomment-290381418 From freeipa-github-notification at redhat.com Thu Mar 30 11:19:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:19:40 +0200 Subject: [Freeipa-devel] [freeipa PR#665][closed] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Author: fidencio Title: #665: Allow erasing ipaDomainResolutionOrder attribute Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/665/head:pr665 git checkout pr665 From freeipa-github-notification at redhat.com Thu Mar 30 11:19:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:19:43 +0200 Subject: [Freeipa-devel] [freeipa PR#665][+pushed] Allow erasing ipaDomainResolutionOrder attribute In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/665 Title: #665: Allow erasing ipaDomainResolutionOrder attribute Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:20:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:20:38 +0200 Subject: [Freeipa-devel] [freeipa PR#636][comment] [Py3] Fix ipatests.util doc tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/636 Title: #636: [Py3] Fix ipatests.util doc tests MartinBasti commented: """ master: * 397e6716974f90168792ec0a6ad0b7b37c02eb87 Fix ipatests.util doc tests """ See the full comment at https://github.com/freeipa/freeipa/pull/636#issuecomment-290381626 From freeipa-github-notification at redhat.com Thu Mar 30 11:20:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:20:42 +0200 Subject: [Freeipa-devel] [freeipa PR#636][+pushed] [Py3] Fix ipatests.util doc tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/636 Title: #636: [Py3] Fix ipatests.util doc tests Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:20:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:20:48 +0200 Subject: [Freeipa-devel] [freeipa PR#636][closed] [Py3] Fix ipatests.util doc tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/636 Author: tiran Title: #636: [Py3] Fix ipatests.util doc tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/636/head:pr636 git checkout pr636 From freeipa-github-notification at redhat.com Thu Mar 30 11:21:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:21:29 +0200 Subject: [Freeipa-devel] [freeipa PR#658][+pushed] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 11:21:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:21:33 +0200 Subject: [Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file MartinBasti commented: """ master: * 7fddc1df573cb56949b1bc8ad83a041e97523df1 Hide PKI Client database password in log file """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-290381810 From freeipa-github-notification at redhat.com Thu Mar 30 11:21:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:21:34 +0200 Subject: [Freeipa-devel] [freeipa PR#658][closed] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Author: Akasurde Title: #658: Hide PKI Client database password in log file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/658/head:pr658 git checkout pr658 From freeipa-github-notification at redhat.com Thu Mar 30 11:23:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:23:03 +0200 Subject: [Freeipa-devel] [freeipa PR#666][closed] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 From freeipa-github-notification at redhat.com Thu Mar 30 11:23:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:23:07 +0200 Subject: [Freeipa-devel] [freeipa PR#666][comment] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/666#issuecomment-290382082 From freeipa-github-notification at redhat.com Thu Mar 30 11:23:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 13:23:10 +0200 Subject: [Freeipa-devel] [freeipa PR#666][reopened] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 From freeipa-github-notification at redhat.com Thu Mar 30 11:27:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 30 Mar 2017 13:27:02 +0200 Subject: [Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: edited Changed field: title Original value: """ Add make patchcheck for developers """ From freeipa-github-notification at redhat.com Thu Mar 30 11:36:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 30 Mar 2017 13:36:30 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 10592 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Mar 30 11:38:28 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 30 Mar 2017 13:38:28 +0200 Subject: [Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file Akasurde commented: """ @stlaz @MartinBasti Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-290385331 From freeipa-github-notification at redhat.com Thu Mar 30 11:39:03 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 30 Mar 2017 13:39:03 +0200 Subject: [Freeipa-devel] [freeipa PR#676][comment] Use with statement for opening file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/676 Title: #676: Use with statement for opening file Akasurde commented: """ @MartinBasti Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/676#issuecomment-290385446 From freeipa-github-notification at redhat.com Thu Mar 30 12:03:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 30 Mar 2017 14:03:04 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification HonzaCholasta commented: """ Awesome indeed! As for your suggestions to improve the validation, I completely agree with them, but the focus of this PR is to refactor the current validation not to use python-nss, which it delivers. Could you please file a ticket for the improvements, so that it gets more visibility and can be properly tracked? """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290390283 From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 12:40:08 2017 From: bind-dyndb-ldap-github-notification at redhat.com (pemensik) Date: Thu, 30 Mar 2017 14:40:08 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst pemensik commented: """ Hi Tom??, I did not find any place which could result with inst == NULL. ldap_sync_prepare contains proper REQUIRE(inst != null) and all other function uses its result stored in ls_private. I think null check does not harm anything. It is used in BIND to catch unexpected problems after code changes. I would suggest to place one require at the beginning of syncrepl_update function also. Overall I think it should be merged. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-290398226 From freeipa-github-notification at redhat.com Thu Mar 30 13:03:05 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 30 Mar 2017 15:03:05 +0200 Subject: [Freeipa-devel] [freeipa PR#666][synchronized] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-666.patch Type: text/x-diff Size: 4528 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 13:08:33 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 30 Mar 2017 15:08:33 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][opened] releng: remove obsolete Trac scripts Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Author: tomaskrizek Title: #13: releng: remove obsolete Trac scripts Action: opened PR body: """ Helper scripts for Trac are no longer necessary, because project was migrated to pagure.io. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/13/head:pr13 git checkout pr13 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-13.patch Type: text/x-diff Size: 3977 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 13:24:13 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:24:13 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][comment] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts MartinBasti commented: """ Probably those scripts should be migrated to `libpagure` """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/13#issuecomment-290409263 From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 13:25:17 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:25:17 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][comment] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts MartinBasti commented: """ (if they are usefull for pagure use cases) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/13#issuecomment-290409563 From freeipa-github-notification at redhat.com Thu Mar 30 13:32:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:32:21 +0200 Subject: [Freeipa-devel] [freeipa PR#666][+pushed] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 13:32:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:32:24 +0200 Subject: [Freeipa-devel] [freeipa PR#666][comment] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install MartinBasti commented: """ master: * 191668e85be0b53020a56df409731812e528d101 Always check and create anonymous principal during KDC install * 2eabb0dab7b4dab1c45395f3e02d43676d91f4a2 Remove duplicate functionality in upgrade ipa-4-5: * ce94f7fa7b4eca296d2f9692d35c2558bfeddb46 Always check and create anonymous principal during KDC install * 0fcd56533a00c28f9f8f800c77b8c2c580cb3a8f Remove duplicate functionality in upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/666#issuecomment-290411432 From freeipa-github-notification at redhat.com Thu Mar 30 13:32:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:32:25 +0200 Subject: [Freeipa-devel] [freeipa PR#666][closed] Fix anonymous principal handling in replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666 From freeipa-github-notification at redhat.com Thu Mar 30 13:41:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:41:16 +0200 Subject: [Freeipa-devel] [freeipa PR#640][+ack] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 13:42:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:42:03 +0200 Subject: [Freeipa-devel] [freeipa PR#640][+pushed] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 Label: +pushed From freeipa-github-notification at redhat.com Thu Mar 30 13:42:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:42:06 +0200 Subject: [Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 MartinBasti commented: """ master: * 6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check * 9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0 * 8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs * fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files ipa-4-5: * 497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check * a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0 * 85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs * 8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290414140 From freeipa-github-notification at redhat.com Thu Mar 30 13:42:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 15:42:09 +0200 Subject: [Freeipa-devel] [freeipa PR#640][closed] Remove pkinit options from master/replica on DL0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 14:10:52 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 30 Mar 2017 16:10:52 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][comment] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts tomaskrizek commented: """ The script only adds a version with a proper datetime tag. Since there are no special fields for versions in Pagure (`fixedin` is text), these script are no longer needed. [Releases in Pagure](https://pagure.io/bind-dyndb-ldap/releases) are tracked directly from the git tags. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/13#issuecomment-290422575 From bind-dyndb-ldap-github-notification at redhat.com Thu Mar 30 14:29:00 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 16:29:00 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][comment] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts MartinBasti commented: """ Ok then ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/13#issuecomment-290428280 From freeipa-github-notification at redhat.com Thu Mar 30 14:34:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 16:34:54 +0200 Subject: [Freeipa-devel] [freeipa PR#670][+ack] [Py3] session storage parameters must be bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/670 Title: #670: [Py3] session storage parameters must be bytes Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 15:01:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 17:01:07 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ Please rebase, it is ok to me, I see potential for future server unit testing. I will test when rebased. If somebody is against this please say it now. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290438690 From freeipa-github-notification at redhat.com Thu Mar 30 15:35:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 30 Mar 2017 17:35:15 +0200 Subject: [Freeipa-devel] [freeipa PR#480][+ack] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Label: +ack From freeipa-github-notification at redhat.com Thu Mar 30 18:07:07 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 30 Mar 2017 20:07:07 +0200 Subject: [Freeipa-devel] [freeipa PR#678][opened] ipa-ca-install man page: Add domain level 1 help Message-ID: URL: https://github.com/freeipa/freeipa/pull/678 Author: flo-renaud Title: #678: ipa-ca-install man page: Add domain level 1 help Action: opened PR body: """ In domain level 1 ipa-ca-install does not require a replica-file. Update the man page to distinguish the domain level 0 or 1 usage. https://pagure.io/freeipa/issue/5831 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/678/head:pr678 git checkout pr678 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-678.patch Type: text/x-diff Size: 2261 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 00:22:23 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 31 Mar 2017 02:22:23 +0200 Subject: [Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-621.patch Type: text/x-diff Size: 16966 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 00:24:13 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 31 Mar 2017 02:24:13 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta I also removed `krbPasswordExpiration` from the "Admin can manage any entry" ACI. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290581916 From freeipa-github-notification at redhat.com Fri Mar 31 06:50:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 08:50:59 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 17381 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 06:54:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 31 Mar 2017 08:54:09 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290632228 From freeipa-github-notification at redhat.com Fri Mar 31 06:57:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 08:57:51 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ Thanks @MartinBasti I rebased the PR and added a small workaround for ```dbus-python```. The package uses make to compile some of its internal dependencies. It looks like there is a bug in ```dbus-python```'s makefile. It sometimes fails to compile with my ```MAKEFLAGS=-j4``` env var. ```Makefile.am``` line 253 sets MAKEFLAGS to empty value for ```pip wheel```. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290632826 From freeipa-github-notification at redhat.com Fri Mar 31 07:00:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 09:00:53 +0200 Subject: [Freeipa-devel] [freeipa PR#593][edited] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: edited Changed field: body Original value: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 Depends on - [X] #475 - [X] #587 - [X] #594 - [ ] #636 - [ ] #670 """ From freeipa-github-notification at redhat.com Fri Mar 31 07:01:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 09:01:30 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 4693 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 07:02:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 09:02:30 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 4691 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 07:11:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 31 Mar 2017 09:11:19 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ Works for me. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290635083 From freeipa-github-notification at redhat.com Fri Mar 31 07:12:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 31 Mar 2017 09:12:06 +0200 Subject: [Freeipa-devel] [freeipa PR#621][+ack] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change Label: +ack From freeipa-github-notification at redhat.com Fri Mar 31 07:56:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 09:56:24 +0200 Subject: [Freeipa-devel] [freeipa PR#678][+ack] ipa-ca-install man page: Add domain level 1 help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/678 Title: #678: ipa-ca-install man page: Add domain level 1 help Label: +ack From freeipa-github-notification at redhat.com Fri Mar 31 08:01:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 10:01:53 +0200 Subject: [Freeipa-devel] [freeipa PR#490][+ack] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification Label: +ack From freeipa-github-notification at redhat.com Fri Mar 31 08:32:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 10:32:53 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers stlaz commented: """ The changes to Makefile and configure.ac are just fine. I understand that changes in the `ipapython/session_storage.py` are done elsewhere so once that is pushed, we'll need a rebase. I don't see the explanation why we're disabling the test in `ipatests/test_ipapython/test_session_storage.py `, that might need a different commit? """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290651108 From freeipa-github-notification at redhat.com Fri Mar 31 08:47:46 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 10:47:46 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers tiran commented: """ ```test_session_storage``` is not a unit test or functional test. It is an integration test that depends on a valid Kerberos configuration and session. Do you prefer a separate PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290654739 From freeipa-github-notification at redhat.com Fri Mar 31 08:50:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 10:50:56 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers stlaz commented: """ Whichever is ok with you, I don't mind if it's in the same PR if it is related to the same ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290655653 From freeipa-github-notification at redhat.com Fri Mar 31 08:58:38 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 10:58:38 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 5502 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 09:16:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 11:16:48 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers tiran commented: """ I split the changes to session storage tests into a separate commit. The other commit is in #670 """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290662222 From freeipa-github-notification at redhat.com Fri Mar 31 10:10:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 12:10:30 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290673932 From freeipa-github-notification at redhat.com Fri Mar 31 10:10:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 12:10:34 +0200 Subject: [Freeipa-devel] [freeipa PR#593][+ack] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers Label: +ack From freeipa-github-notification at redhat.com Fri Mar 31 10:17:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:17:27 +0200 Subject: [Freeipa-devel] [freeipa PR#678][+pushed] ipa-ca-install man page: Add domain level 1 help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/678 Title: #678: ipa-ca-install man page: Add domain level 1 help Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 10:17:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:17:30 +0200 Subject: [Freeipa-devel] [freeipa PR#678][comment] ipa-ca-install man page: Add domain level 1 help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/678 Title: #678: ipa-ca-install man page: Add domain level 1 help MartinBasti commented: """ master: * b96a942cdca09496be9f911499036bee60084aee ipa-ca-install man page: Add domain level 1 help ipa-4-4: * 1734e143582843ef1d397a4929687b1068bdf413 ipa-ca-install man page: Add domain level 1 help ipa-4-5: * 262723b1be894e5d75cccdd92da838f544a3b222 ipa-ca-install man page: Add domain level 1 help """ See the full comment at https://github.com/freeipa/freeipa/pull/678#issuecomment-290675303 From freeipa-github-notification at redhat.com Fri Mar 31 10:17:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:17:34 +0200 Subject: [Freeipa-devel] [freeipa PR#678][closed] ipa-ca-install man page: Add domain level 1 help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/678 Author: flo-renaud Title: #678: ipa-ca-install man page: Add domain level 1 help Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/678/head:pr678 git checkout pr678 From freeipa-github-notification at redhat.com Fri Mar 31 10:19:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:19:04 +0200 Subject: [Freeipa-devel] [freeipa PR#670][+pushed] [Py3] session storage parameters must be bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/670 Title: #670: [Py3] session storage parameters must be bytes Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 10:19:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:19:07 +0200 Subject: [Freeipa-devel] [freeipa PR#670][comment] [Py3] session storage parameters must be bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/670 Title: #670: [Py3] session storage parameters must be bytes MartinBasti commented: """ master: * d06315de6b1e951d6cce7d7d6495a32b44216274 session storage parameters must be bytes """ See the full comment at https://github.com/freeipa/freeipa/pull/670#issuecomment-290675650 From freeipa-github-notification at redhat.com Fri Mar 31 10:19:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:19:10 +0200 Subject: [Freeipa-devel] [freeipa PR#670][closed] [Py3] session storage parameters must be bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/670 Author: tiran Title: #670: [Py3] session storage parameters must be bytes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/670/head:pr670 git checkout pr670 From freeipa-github-notification at redhat.com Fri Mar 31 10:20:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:20:02 +0200 Subject: [Freeipa-devel] [freeipa PR#621][+pushed] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 10:20:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:20:10 +0200 Subject: [Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change MartinBasti commented: """ master: * 274b0bcf5ff2408739d94ba1b1b4bca69f310dfc Add --password-expiration to allow admin to force user password expiration """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290675831 From freeipa-github-notification at redhat.com Fri Mar 31 10:20:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:20:13 +0200 Subject: [Freeipa-devel] [freeipa PR#621][closed] Add --password-expiration to allow an admin to force a password change In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621 From freeipa-github-notification at redhat.com Fri Mar 31 10:20:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:20:58 +0200 Subject: [Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification MartinBasti commented: """ master: * 9183cf2a7505624235b255b1406702cdaa65bb38 certdb: use certutil and match_hostname for cert verification * 2b33230f669ca22d6948a4a351b4c92ba15222ab setup, pylint, spec file: drop python-nss dependency """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290676024 From freeipa-github-notification at redhat.com Fri Mar 31 10:21:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:21:02 +0200 Subject: [Freeipa-devel] [freeipa PR#490][+pushed] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 10:21:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:21:03 +0200 Subject: [Freeipa-devel] [freeipa PR#490][closed] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: certdb: use certutil and match_hostname for cert verification Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 From freeipa-github-notification at redhat.com Fri Mar 31 10:31:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:31:31 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers MartinBasti commented: """ @stlaz why is this ACKed when it depends on #670 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290678060 From freeipa-github-notification at redhat.com Fri Mar 31 10:33:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:33:18 +0200 Subject: [Freeipa-devel] [freeipa PR#480][+pushed] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 10:33:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:33:21 +0200 Subject: [Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help MartinBasti commented: """ master: * a1bb442054936113369a88b49483e914664712e7 Hide request_type doc string in cert-request help ipa-4-5: * 535e8610c556ab1a0eb83e9798e7e182355d8396 Hide request_type doc string in cert-request help """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290678419 From freeipa-github-notification at redhat.com Fri Mar 31 10:33:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:33:24 +0200 Subject: [Freeipa-devel] [freeipa PR#480][closed] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Hide request_type doc string in cert-request help Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/480/head:pr480 git checkout pr480 From freeipa-github-notification at redhat.com Fri Mar 31 10:33:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 31 Mar 2017 12:33:43 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers stlaz commented: """ @MartinBasti #670 was ACKed already and the commit was originally a part of this. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290678477 From freeipa-github-notification at redhat.com Fri Mar 31 10:35:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:35:56 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers MartinBasti commented: """ Ah right the description hasn't been updated """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290678887 From freeipa-github-notification at redhat.com Fri Mar 31 10:36:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:36:06 +0200 Subject: [Freeipa-devel] [freeipa PR#593][edited] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: edited Changed field: body Original value: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 Depends on - [X] #475 - [X] #587 - [X] #594 - [x] #636 - [ ] #670 """ From freeipa-github-notification at redhat.com Fri Mar 31 10:37:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:37:14 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers MartinBasti commented: """ Needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290679169 From freeipa-github-notification at redhat.com Fri Mar 31 10:38:53 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 31 Mar 2017 12:38:53 +0200 Subject: [Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Akasurde commented: """ @MartinBasti @frasertweedale @HonzaCholasta Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290679480 From freeipa-github-notification at redhat.com Fri Mar 31 10:43:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:43:39 +0200 Subject: [Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help MartinBasti commented: """ @Akasurde you are welcome """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290680413 From freeipa-github-notification at redhat.com Fri Mar 31 10:45:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 12:45:18 +0200 Subject: [Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-593.patch Type: text/x-diff Size: 4915 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 10:53:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 12:53:03 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ Build failed: ``` make wheel_bundle IPA_SERVER_WHEELS=1 ... checking for DBUS... no configure: error: Package requirements (dbus-1 >= 1.6) were not met: No package 'dbus-1' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables DBUS_CFLAGS and DBUS_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. Traceback (most recent call last): File "", line 1, in File "/tmp/pip-build-l97uxR/dbus-python/setup.py", line 106, in 'build_ext': BuildExt, File "/usr/lib64/python2.7/distutils/core.py", line 151, in setup dist.run_commands() File "/usr/lib64/python2.7/distutils/dist.py", line 953, in run_commands self.run_command(cmd) File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command cmd_obj.run() File "/usr/lib/python2.7/site-packages/wheel/bdist_wheel.py", line 199, in run self.run_command('build') File "/usr/lib64/python2.7/distutils/cmd.py", line 326, in run_command self.distribution.run_command(command) File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command cmd_obj.run() File "/tmp/pip-build-l97uxR/dbus-python/setup.py", line 62, in run cwd=builddir) File "/usr/lib64/python2.7/subprocess.py", line 186, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['/tmp/pip-build-l97uxR/dbus-python/configure', '--disable-maintainer-mode', 'PYTHON=/usr/bin/python', '--prefix=/tmp/pip-build-l97uxR/dbus-python/build/temp.linux-x86_64-2.7/prefix']' returned non-zero exit status 1 ---------------------------------------- Failed building wheel for dbus-python Running setup.py clean for dbus-python Running setup.py bdist_wheel for MarkupSafe ... done Stored in directory: /tmp/freeipa/dist/bundle Running setup.py bdist_wheel for pycparser ... done Stored in directory: /tmp/freeipa/dist/bundle Running setup.py bdist_wheel for configparser ... done Stored in directory: /tmp/freeipa/dist/bundle Successfully built cryptography python-yubico pyusb python-nss pyldap netifaces gssapi MarkupSafe pycparser configparser Failed to build dbus-python ERROR: Failed to build one or more wheels Makefile:1222: recipe for target 'wheel_bundle' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290682068 From freeipa-github-notification at redhat.com Fri Mar 31 11:34:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 13:34:59 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ You need dbus-devel package. I opened https://pagure.io/freeipa/issue/6842 to track lack of documentation. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290689299 From freeipa-github-notification at redhat.com Fri Mar 31 11:47:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 13:47:30 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ So put it into specfile to `with_wheels` section """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290691425 From freeipa-github-notification at redhat.com Fri Mar 31 11:48:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 13:48:00 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ And document in `BUILD.txt` how to build wheels """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290691545 From freeipa-github-notification at redhat.com Fri Mar 31 11:49:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 13:49:21 +0200 Subject: [Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers MartinBasti commented: """ master: * e357133fd7b276ccabfe1896ee948f2bb3541d94 Add make devcheck for developers * 6c092c24b2bfbba0a3f263d88f7a0dbf83f24869 Skip test_session_storage in ipaclient unittest mode ipa-4-5: * 89ab24f1fbb58feb603d60503c685ebad41a4237 Add make devcheck for developers * c80adf6e0d16f807f90479660af22540cd92d774 Skip test_session_storage in ipaclient unittest mode """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-290691783 From freeipa-github-notification at redhat.com Fri Mar 31 11:49:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 13:49:24 +0200 Subject: [Freeipa-devel] [freeipa PR#593][+pushed] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make devcheck for developers Label: +pushed From freeipa-github-notification at redhat.com Fri Mar 31 11:49:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 13:49:27 +0200 Subject: [Freeipa-devel] [freeipa PR#593][closed] Add make devcheck for developers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make devcheck for developers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/593/head:pr593 git checkout pr593 From freeipa-github-notification at redhat.com Fri Mar 31 12:16:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 31 Mar 2017 14:16:59 +0200 Subject: [Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 9709 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 13:28:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 15:28:06 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 17783 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 14:29:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 16:29:17 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ @MartinBasti ```dbus-devel``` is in the ```with_wheels``` section. Documentation is part of https://pagure.io/freeipa/issue/6842 . """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290727605 From freeipa-github-notification at redhat.com Fri Mar 31 15:02:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 31 Mar 2017 17:02:20 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 6898 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 16:23:57 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 31 Mar 2017 18:23:57 +0200 Subject: [Freeipa-devel] [freeipa PR#679][opened] Make sure remote hosts have our keys Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: opened PR body: """ In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 3230 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 16:28:41 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 31 Mar 2017 18:28:41 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 3303 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 16:30:12 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 31 Mar 2017 18:30:12 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 3365 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Mar 31 16:30:58 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 31 Mar 2017 18:30:58 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I haven't tested this yet ... but what could possibily go wrong? :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-290762100 From freeipa-github-notification at redhat.com Fri Mar 31 23:23:30 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Sat, 01 Apr 2017 01:23:30 +0200 Subject: [Freeipa-devel] [freeipa PR#680][opened] ipa-otpd.socket.in: Use a platform specific value for KDC service file Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Author: tjaalton Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file Action: opened PR body: """ https://pagure.io/freeipa/issue/6845 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/680/head:pr680 git checkout pr680 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-680.patch Type: text/x-diff Size: 2235 bytes Desc: not available URL: