August 2019 - FreeIPA-devel - Fedora mailing-lists

[freeipa PR#3275][opened] Issue 7975 - Accept 389-ds JSON replication status messages
by marcus2376 01 Dec '20

01 Dec '20

URL: https://github.com/freeipa/freeipa/pull/3275 Author: marcus2376 Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages Action: opened PR body: """ Description: 389-ds now stores a replication agreement status message in a JSON string in a new attribute: replicaLastInitStatusJSON replicaLastUpdateStatusJSON The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing. http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html https://pagure.io/freeipa/issue/7975 Reviewed by: ? """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3275/head:pr3275 git checkout pr3275

3 2

[freeipa PR#3544][opened] [WIP] ipa-join: allowing call with jsonrpc into freeipa API
by mulatinho 09 Jul '20

09 Jul '20

URL: https://github.com/freeipa/freeipa/pull/3544 Author: mulatinho Title: #3544: [WIP] ipa-join: allowing call with jsonrpc into freeipa API Action: opened PR body: """ - Adding JSON-C and LibCURL library into configure.ac and Makefile.am - Creating a API call with option '-j' or '--jsonrpc' to make host join on FreeIPA with JSONRPC and libCURL. TODO: unenroll process with JSONRPC. To test the call: # kinit admin # ipa-join -s server.freeipa.ipadomain -j Debug: # ipa-join -s server.freeipa.ipadomain -j -d Related: https://pagure.io/freeipa/issue/7966 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3544/head:pr3544 git checkout pr3544

2 1

[freeipa PR#3487][opened] Allow rename of a host group
by abbra 31 Mar '20

31 Mar '20

URL: https://github.com/freeipa/freeipa/pull/3487 Author: abbra Title: #3487: Allow rename of a host group Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/6783 Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3487/head:pr3487 git checkout pr3487

1 1

[freeipa PR#2106][opened] ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
by abbra 23 Mar '20

23 Mar '20

URL: https://github.com/freeipa/freeipa/pull/2106 Author: abbra Title: #2106: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager Action: opened PR body: """ Password changes performed by cn=Directory Manager are excluded from password policy checks according to [1]. This is correctly handled by ipa-pwd-extop in case of a normal Kerberos principal in IPA. However, non-kerberos accounts were not excluded from the check. As result, password updates for PKI CA admin account in o=ipaca were failing if a password policy does not allow a password reuse. We are re-setting the password for PKI CA admin in ipa-replica-prepare in case the original directory manager's password was updated since creation of `cacert.p12`. Do password policy check for non-Kerberos accounts only if it was set by a regular user or admin. Changes performed by a cn=Directory Manager and passsync managers should be excluded from the policy check. Fixes: https://pagure.io/freeipa/issue/7181 Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> [1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h… """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2106/head:pr2106 git checkout pr2106

2 1

[freeipa PR#3509][opened] [Backport][ipa-4-7] Profile-based system cert renewal
by frasertweedale 27 Feb '20

27 Feb '20

URL: https://github.com/freeipa/freeipa/pull/3509 Author: frasertweedale Title: #3509: [Backport][ipa-4-7] Profile-based system cert renewal Action: opened PR body: """ Manual backport of #3316 to ipa-4-7. We may need to backport this change all the way to ipa-4-6 to allow us to change the IPA RA certificate profile on older releases. See also https://github.com/freeipa/freeipa/pull/3508 which is the ipa-4-7 backport PR. There were some trivial conflicts. There were substantive conflicts for two patches, but these were due to the switch from mod_nss to mod_ssl, and from NSSDB-based IPA RA cert to PEM files. Those patches were not relevant, and were dropped. https://pagure.io/freeipa/issue/7991 Do not rely on CI only; I will have to test this change myself so I'll add WIP label, and remove it when I'm satisfied. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3509/head:pr3509 git checkout pr3509

1 1

[freeipa PR#3508][opened] [Backport][ipa-4-7] Profile-based system cert renewal
by frasertweedale 27 Feb '20

27 Feb '20

URL: https://github.com/freeipa/freeipa/pull/3508 Author: frasertweedale Title: #3508: [Backport][ipa-4-7] Profile-based system cert renewal Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3316 to ipa-4-7. We may need to backport this change all the way to ipa-4-6 to allow us to change the IPA RA certificate profile on older releases. Currently this change is on master and ipa-4-8, so ipa-4-7 is the next step. There were some trivial conflicts. The only substantive conflicts were in `dogtaginstance.py`. These were resolved by cherry-picking 8686cd3b4b69f725aee05c9cdd3034d7436055d3 ahead of the original patchset. https://pagure.io/freeipa/issue/7991 Do not rely on CI only; I will have to test this change myself so I'll add WIP label, and remove it when I'm satisfied. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3508/head:pr3508 git checkout pr3508

1 1

[freeipa PR#3349][opened] ipatests: filter_users should be applied correctly if SSSD starts offline
by amore17 17 Dec '19

17 Dec '19

URL: https://github.com/freeipa/freeipa/pull/3349 Author: amore17 Title: #3349: ipatests: filter_users should be applied correctly if SSSD starts offline Action: opened PR body: """ Added tests which validates that filter_users is applied correctly when SSSD starts in offline mode, which checks that no look up should be in data provider and NCE/USER/ipa_domain/user should be added to negative cache. Related Tickets: https://pagure.io/SSSD/sssd/issue/3983 https://pagure.io/SSSD/sssd/issue/3978 Signed-off-by: Anuja More <amore(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3349/head:pr3349 git checkout pr3349

2 1

[freeipa PR#3491][opened] temp test - ignore
by fcami 14 Dec '19

14 Dec '19

URL: https://github.com/freeipa/freeipa/pull/3491 Author: fcami Title: #3491: temp test - ignore Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3491/head:pr3491 git checkout pr3491

1 1

[freeipa PR#3183][opened] Require a SASL SSF of >= 56 on client side
by tiran 26 Nov '19

26 Nov '19

URL: https://github.com/freeipa/freeipa/pull/3183 Author: tiran Title: #3183: Require a SASL SSF of >= 56 on client side Action: opened PR body: """ SSF_MINX 56 level ensures data integrity and confidentiality for SASL GSSAPI and SASL GSS SPNEGO connections. Although at least AES128 is enforced pretty much everywhere, 56 is required. The origianl commit 350954589774499d99bf87cb5631c664bb0707c4 added minimum SSF on LDAP client and LDAP server. Some LDAP consumers like realmd are not compatible with strong SSF yet. Related: https://pagure.io/freeipa/issue/7140 Related: https://pagure.io/freeipa/issue/4580 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3183/head:pr3183 git checkout pr3183

1 1

[freeipa PR#2812][opened] Require secure-binds for password login
by tiran 26 Nov '19

26 Nov '19

URL: https://github.com/freeipa/freeipa/pull/2812 Author: tiran Title: #2812: Require secure-binds for password login Action: opened PR body: """ nsslapd-require-secure-binds restricts password based simple binds to secure connections. It does not prevent a careless user from transmitting a password in plain text. But it makes it obvious that he did something bad. Password based bind attempts over an insecure connections are refused with: Confidentiality required: Operation requires a secure connection Secure connections are: * LDAP connections on port 389 with STARTTLS * LDAPS connections in port 636 * LDAPI connections to a local Unix sockets Anonymous bind (simple_bind with empty DN and password) and GSSAPI bind operations are not affected. nsslapd-require-secure-binds is enabled after 389-DS is configured for TLS/SSL. Signed-off-by: Christian Heimes <cheimes(a)redhat.com> **NOTE** The change may cause compatibility issues with applications that don't perform secure binds. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2812/head:pr2812 git checkout pr2812

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel August 2019