August 2020 - FreeIPA-devel - Fedora Mailing-Lists

[freeipa PR#4909][opened] Add unauthenticated nsupdate

by fcami

URL: https://github.com/freeipa/freeipa/pull/4909 Author: fcami Title: #4909: Add unauthenticated nsupdate Action: opened PR body: """ ipa-client-install: update sssd.conf if nsupdate requires -g If dynamic DNS updates are selected, sssd will use GSS-TSIG by default for nsupdate. When ipa-client-install notices that plain nsupdate is required, switch sssd to use no authentication for dynamic updates too. Fixes: https://pagure.io/freeipa/issue/8402 + ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain) ipa-client-install invokes nsupdate with GSS-TSIG at client enrollment time. If that fails, no retry is done. Change that behavior to try again without GSS-TSIG. Fixes: https://pagure.io/freeipa/issue/8402 #### This is purely WIP: - it needs a proper test - there are more nsupdate calls that should be adapted. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4909/head:pr4909 git checkout pr4909

2 years, 5 months

2
1
0 / 0

[freeipa PR#4923][opened] Add support for app passwords

by RichardKalinec

URL: https://github.com/freeipa/freeipa/pull/4923 Author: RichardKalinec Title: #4923: Add support for app passwords Action: opened PR body: """ Users will be able to have additional passwords besides the primary one - app passwords. They will be usable for accessing all systems and services that his/her FreeIPA account is used for, but not to manage the account (including configuring the app passwords). Resolves: https://pagure.io/freeipa/issue/4510 Design page and its discussion: https://github.com/freeipa/freeipa/pull/4061 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4923/head:pr4923 git checkout pr4923

2 years, 9 months

2
1
0 / 0

[freeipa PR#4061][opened] doc/designs: Add a design page for application-specific passwords

by RichardKalinec

URL: https://github.com/freeipa/freeipa/pull/4061 Author: RichardKalinec Title: #4061: doc/designs: Add a design page for application-specific passwords Action: opened PR body: """ This design page describes a new enhancement: application-specific passwords and permissions management for them. Users will be able to have additional passwords besides the primary one, and set permissions for them specifying what systems and services will each application-specific password have access to. Application-specific passwords will also be usable with other authentication mechanisms incorporating passwords, namely otp, radius and hardened. They will also be supported by ipa-kdb for Kerberos authentication. https://pagure.io/freeipa/issue/4510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4061/head:pr4061 git checkout pr4061

2 years, 9 months

2
1
0 / 0

[freeipa PR#5071][opened] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE

by fcami

URL: https://github.com/freeipa/freeipa/pull/5071 Author: fcami Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE Action: opened PR body: """ Some IPA updates are expensive in term of processing and #page hit. The likelihood to generate a DS Berkeley DB database deadlock can be high for some common operations. When a deadlock is detected one deadlocking thread needs to be rejected to let the other(s) complete. DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation fails in favor to the oldest one. DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor of the writers even if the reader(s) are older. Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and also existing installs at update time. This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476) and therefore is valid on 389-DS 1.4.2.3 and higher. Explanation provided by Thierry Bordaz. Fixes: https://pagure.io/freeipa/issue/8479 Signed-off-by: François Cami <fcami(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5071/head:pr5071 git checkout pr5071

2 years, 9 months

2
1
0 / 0

[freeipa PR#3275][opened] Issue 7975 - Accept 389-ds JSON replication status messages

by marcus2376

URL: https://github.com/freeipa/freeipa/pull/3275 Author: marcus2376 Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages Action: opened PR body: """ Description: 389-ds now stores a replication agreement status message in a JSON string in a new attribute: replicaLastInitStatusJSON replicaLastUpdateStatusJSON The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing. http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html https://pagure.io/freeipa/issue/7975 Reviewed by: ? """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3275/head:pr3275 git checkout pr3275

3 years

3
2
0 / 0

[freeipa PR#5055][opened] Add krbtpolicy for jittered lifetime

by rebeccc

URL: https://github.com/freeipa/freeipa/pull/5055 Author: rebeccc Title: #5055: Add krbtpolicy for jittered lifetime Action: opened PR body: """ Continuation of #5029 This KDC extension will create a jittered lifetime for services with a lifetime greater than 60 minutes. The lifetime will be set to a random number between max_life - 60 minutes and max_life. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5055/head:pr5055 git checkout pr5055

3 years, 1 month

2
1
0 / 0

[freeipa PR#5039][opened] Add dependency on pki-acme

by cipherboy

URL: https://github.com/freeipa/freeipa/pull/5039 Author: cipherboy Title: #5039: Add dependency on pki-acme Action: opened PR body: """ With the merging of #4723, pki-acme should be added as a dependency of IPA. Note that this is only necessary on PKI >= 10.10 and shouldn't be backported to RHEL 8.3 as the subpackage doesn't exist there. Related: https://github.com/dogtagpki/pki/pull/513 `Signed-off-by: Alexander Scheel <ascheel(a)redhat.com>` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5039/head:pr5039 git checkout pr5039

3 years, 2 months

2
1
0 / 0

[freeipa PR#5067][opened] Require at least 2Gb of available RAM to install the server

by rcritten

URL: https://github.com/freeipa/freeipa/pull/5067 Author: rcritten Title: #5067: Require at least 2Gb of available RAM to install the server Action: opened PR body: """ Require at least 2Gb of available RAM to install the server Verify that there is at least 2Gb of usable RAM on the system. Swap is not considered. While swap would allow a user to minimally install IPA it would not be a great experience. Using any proc-based method to check for available RAM does not work in containers unless /proc is re-mounted so use cgroups instead. This also handles the case if the container has memory constraints on it (-m). Add a switch to skip this memory test if the user is sure they know what they are doing. https://pagure.io/freeipa/issue/8404 NOTE: I'm not aware of a pythonic "is this in a contaner" so I rolled my own. IPA is actually installable, with a CA in < 2GB of RAM but things are very tight and the end result isn't all that useful. 2GB should be considered the absolute minimum. This is not including swap. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5067/head:pr5067 git checkout pr5067

3 years, 2 months

2
1
0 / 0

[freeipa PR#5070][opened] DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one

by stanislavlevin

URL: https://github.com/freeipa/freeipa/pull/5070 Author: stanislavlevin Title: #5070: DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one Action: opened PR body: """ For now, `resolve_address` for `dnspython` < 2.0.0 is actually the instance method of the global DNSResolver object and is not the instance method of the corresponding object from which it was called. This can result in unexpected behavior. Signed-off-by: Stanislav Levin <slev(a)altlinux.org> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5070/head:pr5070 git checkout pr5070

3 years, 3 months

3
3
0 / 0

[freeipa PR#5069][opened] [Backport][ipa-4-8] [Azure] Add rawhide definitions

by stanislavlevin

URL: https://github.com/freeipa/freeipa/pull/5069 Author: stanislavlevin Title: #5069: [Backport][ipa-4-8] [Azure] Add rawhide definitions Action: opened PR body: """ This PR was opened manually because PR #5047 was pushed to master and backport to `ipa-4-8` is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5069/head:pr5069 git checkout pr5069

3 years, 3 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel August 2020