URL: https://github.com/freeipa/freeipa/pull/1179
Author: abbra
Title: #1179: adtrust: filter out subdomains when defining our topology to AD
Action: opened
PR body:
"""
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this TLN. If we add more TLNs for subdomains, Active Directory will
respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Fixes https://pagure.io/freeipa/issue/6666
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1179/head:pr1179
git checkout pr1179
URL: https://github.com/freeipa/freeipa/pull/1290
Author: Rezney
Title: #1290: [Backport][ipa-4-6] test_caless: fix fix http.p12 is not valid and provide domain_level for replica tests
Action: opened
PR body:
"""
This PR was opened automatically because PR #1266 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1290/head:pr1290
git checkout pr1290
Hello all,
I would like to start a discussion regarding the migration of current
FreeIPA services that are running on OpenShift v2 that was obsoleted [1]
and will go soon EOL (the ultimate cut-off date is Dec 31, 2017).
After a short discussion I had with several FreeIPA developers, the
preference remained with keeping this application on OpenShift (v3
generation), as it will let us easily maintain it on a PaaS, without
having to care about maintaining our own infra. It will be also easy to
delegate maintenance powers to more people.
Given above, I have now set up a Pro account with OpenShift v3 and
migrated the base FreeIPA wiki as an application there, with today
snapshot of data and images. When the POC deployment is ready and
approved on this list, I can switch the current wiki to readonly and
request change of "www.freeipa.org" DNS records to get it to production.
The POC wiki is running in [2], with OpenShift application sources being
stored in a public git repo [3]. Eventually, the OpenShift could be
configured to rebuild the wiki after a git push to [3], to enable easy
changes to wiki to it's maintainers. Let me know if there are any
concerns about having the wiki sources public. The secrets and keys are
of course not in the repo, but configured via OpenShift environment
variable.
The POC now runs pretty well, the only issue I found so far is linking
the wiki user authentication with Fedora auth. The problem is that the
current OpenID plugin [4] is deprecated and does not run with modern PHP
version and I could not get the new OpenID Connect one [5] to work
reliably with our wiki and Fedora OIDC service. I either received
authentication errors or later problems with linking the authenticated
user to current account. So for now I gave up and enabled simple
password auth by password again.
Feedback welcome!
Thanks,
Martin
[1] https://blog.openshift.com/migrate-to-v3-v2-eol/
[2] https://freeipa-org-wiki-freeipa.b9ad.pro-us-east-1.openshiftapps.com
[3] https://github.com/freeipa/freeipa-wiki
[4] https://www.mediawiki.org/wiki/Extension:OpenID
[5] https://www.mediawiki.org/wiki/Extension:OpenID_Connect
--
Martin Kosek <mkosek(a)redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.