freeipa.git/ipa-client, branch trusts-master FreeIPA project Allow host re-enrollment using delegation 2013-03-25T09:53:25+00:00 Tomas Babej tbabej@redhat.com 2013-03-18T10:06:22+00:00 a7ccc198a731d0e48319a73bcb2dd98c34de262a A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482 
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment

https://fedorahosted.org/freeipa/ticket/3482
Improve client install LDAP cert retrieval fallback 2013-03-21T15:12:12+00:00 Martin Kosek mkosek@redhat.com 2013-03-14T13:36:39+00:00 1336b399065ff47477029ba487f1d392f1ce6ac8 CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512 
CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.

https://fedorahosted.org/freeipa/ticket/3512
Use temporary CCACHE in ipa-client-install 2013-03-21T15:12:12+00:00 Martin Kosek mkosek@redhat.com 2013-03-14T13:33:56+00:00 6540eff4687bbc400e285a68936d8edf1895168e ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512 
ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.

https://fedorahosted.org/freeipa/ticket/3512
ipa-client discovery with anonymous access off 2013-03-20T08:22:10+00:00 Martin Kosek mkosek@redhat.com 2013-03-19T07:57:18+00:00 be54d1deb5e40945e4ead5b34d9acde88c1e8264 When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519 
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.

Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.

https://fedorahosted.org/freeipa/ticket/3519
Avoid multiple client discovery with fixed server list 2013-03-14T08:35:25+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T13:44:20+00:00 354a5db38e46aaf7ff4ecb0b6ee54a18194c376e In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418 
In client discovery module, we used to run up to three discovery
processes even though we received a fixed list of servers to connect
to. This could result in up to 3 identical "not an IPA server" error
messages when the passed server is not an IPA server.

Error out immediately when we are discovering against a fixed set
of servers.

Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
Preserve order of servers in ipa-client-install 2013-03-14T08:35:17+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T13:42:12+00:00 452ffa143aadba5f16f4fe67720e28852fdf1fb7 When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418 
When multiple servers are passed via --server option, ipadiscovery
module changed its order. Make sure that we preserve it.

Also make sure that user is always warned when a tested server is
not available as then the server will be excluded from the fixed
server list. Log messages were made more informative so that user
knows which server is actually failing to be verified.

https://fedorahosted.org/freeipa/ticket/3418
Make sure uninstall script prompts for reboot as last 2013-03-13T15:53:19+00:00 Tomas Babej tbabej@redhat.com 2013-03-13T11:53:24+00:00 ade4aaef9aba7e05276dc2f436a43e0bb7d42da3 Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463 
Parts of client uninstall logic could be skipped in attended
uninstallation if user agreed to reboot the machine. Particulary,
the uninstall script would not try to remove /etc/ipa/default.conf
and therefore subsequent installation would fail, client being
detected as already configured.

https://fedorahosted.org/freeipa/ticket/3462
https://fedorahosted.org/freeipa/ticket/3463
Don't download the schema in ipadiscovery 2013-03-13T11:36:34+00:00 Petr Viktorin pviktori@redhat.com 2013-03-08T12:34:13+00:00 63407ed477035765dda38fbead1353d4f47ac26a 






Remove unneeded python-ldap imports
2013-03-13T11:36:34+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T14:02:01+00:00

cf4b52111d384e8baa250aefe57f21ebda4dad7e

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660





Part of the work for: https://fedorahosted.org/freeipa/ticket/2660







Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
2013-03-13T11:36:33+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T13:26:38+00:00

664248d5b846321f61e0776b646cca82c5a17884

These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446





These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446