freeipa.git/ipaserver/install, branch ad-work FreeIPA project ipa-adtrust-install: configure compatibility tree to serve trusted domain users 2013-07-18T07:56:37+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-15T16:13:50+00:00 e375aca57cfea570e2b92d7f555bda6267d05d7a Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567 
Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567
Hide sensitive attributes in LDAP updater logging and output 2013-07-18T07:49:43+00:00 Rob Crittenden rcritten@redhat.com 2013-07-12T15:28:43+00:00 240b12169b9a52113426f6b7893ea9c6bfaf4ea4 The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3782 
The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.

https://fedorahosted.org/freeipa/ticket/3782
Change group ownership of CRL publish directory 2013-07-16T10:17:40+00:00 Tomas Babej tbabej@redhat.com 2013-07-16T10:10:54+00:00 7a105604e265222cf6f96b0ac060d4f1b2504b6c Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727 
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
Make sure replication works after DM password is changed 2013-07-11T09:39:29+00:00 Ana Krivokapic akrivoka@redhat.com 2013-05-15T09:22:41+00:00 c1e9b6fa1d3b334e6331c00158bf8e71926cd658 Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594 
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594
Permit reads to ipatokenRadiusProxyUser objects 2013-07-11T09:39:27+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-06-18T18:21:25+00:00 4bbbc11029aae9c29b9da2347ed1e905c885c0fd This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693 
This fixes an outstanding permissions issue from the OTP work.

https://fedorahosted.org/freeipa/ticket/3693
Check trust chain length in CA-less install. 2013-07-11T09:39:25+00:00 Jan Cholasta jcholast@redhat.com 2013-06-18T08:57:12+00:00 ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0 https://fedorahosted.org/freeipa/ticket/3707 
https://fedorahosted.org/freeipa/ticket/3707
Fix bug in adtrustinstance 2013-07-09T15:44:38+00:00 Ana Krivokapic akrivoka@redhat.com 2013-06-25T13:52:29+00:00 30e75797805b3483942ea76a21c9bb8a99d24ce1 Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install to fail when IPA was installed with no DNS. https://fedorahosted.org/freeipa/ticket/3746 
Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install
to fail when IPA was installed with no DNS.

https://fedorahosted.org/freeipa/ticket/3746
Enable SASL mapping fallback. 2013-06-27T15:06:51+00:00 Jan Cholasta jcholast@redhat.com 2013-03-22T10:15:51+00:00 ea7db35b6224b8c67b789ac1eb35c9bc6c3eb6b5 Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330 
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
Create Firefox configuration extension on CA-less install 2013-06-27T14:01:52+00:00 Petr Vobornik pvoborni@redhat.com 2013-06-25T14:53:24+00:00 f5bc155f56a3673a419f921db18e64f8647065ec Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747 
Create:
* kerberosauth.xpi
* krb.js

even when --http_pkcs12 option is used.

https://fedorahosted.org/freeipa/ticket/3747
Do not display traceback to user 2013-06-24T12:23:09+00:00 Ana Krivokapic akrivoka@redhat.com 2013-06-17T13:04:50+00:00 2775dec3bec3499c69de60d5bb581ffad7615cef Logging tracebacks at the INFO level caused them to be displayed to user on the command line. Change the log level to DEBUG, so that tracebacks are not visible to user. https://fedorahosted.org/freeipa/ticket/3704 
Logging tracebacks at the INFO level caused them to be displayed to user on the
command line. Change the log level to DEBUG, so that tracebacks are not visible
to user.

https://fedorahosted.org/freeipa/ticket/3704