freeipa.git/install/updates, branch views FreeIPA project idviews: Update the referential plugin config to watch for ipaAssignedIDView 2014-09-22T10:00:13+00:00 Tomas Babej tbabej@redhat.com 2014-09-17T12:13:16+00:00 aedefaae4fe2c76cd6353189e5e265644b528b59 We need the referential plugin config to watch for changes in the ID view objects, since hosts refer to them in ipaAssignedIDView attribute. Part of: https://fedorahosted.org/freeipa/ticket/3979 
We need the referential plugin config to watch for changes in the ID view
objects, since hosts refer to them in ipaAssignedIDView attribute.

Part of: https://fedorahosted.org/freeipa/ticket/3979
idviews: Create container for ID views under cn=accounts 2014-09-17T12:41:50+00:00 Tomas Babej tbabej@redhat.com 2014-07-31T09:52:04+00:00 6200b8786fc4db9623aaefe728b768d119767096 Part of: https://fedorahosted.org/freeipa/ticket/3979 
Part of: https://fedorahosted.org/freeipa/ticket/3979
Update referential integrity config for DS 1.3.3 2014-09-12T15:42:08+00:00 Petr Viktorin pviktori@redhat.com 2014-09-12T15:14:14+00:00 d61fb40542abb0aa66c49d987813099fda356adf Hisorically DS provided defaults for the referential integrity plugin in nsslapd-pluginArg*: nsslapd-pluginarg3: member nsslapd-pluginarg4: uniquemember nsslapd-pluginarg5: owner nsslapd-pluginarg6: seeAlso In 389-ds 1.3.3, the multi-valued referint-membership-attr is used instead. The old way still works, but it requires that the values are numbered consecutively, so IPA's defaults that started with 7 were not taken into account. Convert IPA defaults to use referint-membership-attr. https://fedorahosted.org/freeipa/ticket/4537 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:

    nsslapd-pluginarg3: member
    nsslapd-pluginarg4: uniquemember
    nsslapd-pluginarg5: owner
    nsslapd-pluginarg6: seeAlso

In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.

The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.

Convert IPA defaults to use referint-membership-attr.

https://fedorahosted.org/freeipa/ticket/4537

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Update SSL ciphers configured in 389-ds-base 2014-09-12T14:42:09+00:00 Ludwig Krispenz lkrispen@redhat.com 2014-09-12T10:43:31+00:00 ab196220fdd886fc2b1998eeee0f8e9a4b384845 use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later

https://fedorahosted.org/freeipa/ticket/4395

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
User Life Cycle: DNA scopes full SUFFIX 2014-09-01T06:16:44+00:00 Thierry bordaz (tbordaz) tbordaz@redhat.com 2014-08-29T13:35:43+00:00 7fc4f60c2f9a901885665f88c2dee1724bd8591e In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX' This part of the fix was invalid as trust domain object (that need uid/gid allocation) are under 'cn=trust,SUFFIX'. Revert that part of the fix. Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Martin Kosek <mkosek@redhat.com>
User Life Cycle: create containers and scoping DS plugins 2014-08-19T07:48:20+00:00 Thierry bordaz (tbordaz) tbordaz@redhat.com 2014-08-07T14:29:02+00:00 04ea75a7a5109907ede2a0216bd39fac46a992c0 User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
		Active: cn=users,cn=accounts,$SUFFIX
		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
			cn=accounts,SUFFIX
			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
		DNA:
			cn=accounts,SUFFIX

		Plugins exclude subtree:
		IPA UUID, Referential Integrity, memberOf:
			cn=provisioning,SUFFIX

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Add permissions for certificate store. 2014-07-30T14:04:21+00:00 Jan Cholasta jcholast@redhat.com 2014-06-10T12:07:35+00:00 586373cf077f3761004414c3809785dfbcb6ef46 Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Configure attribute uniqueness for certificate store. 2014-07-30T14:04:21+00:00 Jan Cholasta jcholast@redhat.com 2014-06-10T12:06:28+00:00 fd80cc1c590a0ca977473ea71ff94e66b6c13f33 Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add container for certificate store. 2014-07-30T14:04:21+00:00 Jan Cholasta jcholast@redhat.com 2014-06-10T12:05:22+00:00 1c612ad3e192275fcce21ad594b4f4346ecb2d2d Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow IPA master hosts to read and update IPA master information. 2014-07-30T14:04:21+00:00 Jan Cholasta jcholast@redhat.com 2014-06-12T06:37:40+00:00 1778f0ebc95bf53c2746ce5461f76458c40560cd Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>