freeipa.git/ipaserver/plugins, branch hbactest FreeIPA project Filter reverse zones in dnszone-find 2011-07-13T13:06:13+00:00 Martin Kosek mkosek@redhat.com 2011-07-13T12:01:17+00:00 0cb65fd9f6865d606625ddb16206090779462c1f Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
find_entry_by_attr() should fail if multiple entries are found 2011-07-11T22:45:49+00:00 Rob Crittenden rcritten@redhat.com 2011-07-05T17:36:48+00:00 d9627ab1651f4ab00c3734cc5bd69b051f79f92b It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388 
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).

https://fedorahosted.org/freeipa/ticket/1388
Convert Bool to TRUE/FALSE when working with LDAP backend https://fedorahosted.org/freeipa/ticket/1259 2011-06-28T03:03:23+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-06-27T12:08:13+00:00 716a25a784b4257ef4928afc18b6cebdb7d15e54 According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE. This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values and enforces TRUE or FALSE string for account locking. 
According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE.
This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values
and enforces TRUE or FALSE string for account locking.
Let the framework be able to override the hostname. 2011-06-23T06:11:34+00:00 Rob Crittenden rcritten@redhat.com 2011-06-23T06:06:49+00:00 8810758c11df8afb5fb7ddf97a71c55a431edfd2 The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052 
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052
Select a server with a CA on it when submitting signing requests. 2011-06-14T06:03:21+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2011-06-08T15:09:28+00:00 df0b927bfb2ad0f6cb15e5c69270d03668a2177c When the RA is about to submit a signing request to a CA, check if the ca_host is actually a CA. If it isn't, and it isn't the local host, check if the local host is a CA. If that doesn't work, try to select a CA host at random. If there aren't any, just give up and pretend the ca_host is a CA so that we can fail to connect to it, as we would have before. Ticket #1252. 
When the RA is about to submit a signing request to a CA, check
if the ca_host is actually a CA.  If it isn't, and it isn't the
local host, check if the local host is a CA.  If that doesn't
work, try to select a CA host at random.  If there aren't any,
just give up and pretend the ca_host is a CA so that we can fail
to connect to it, as we would have before.

Ticket #1252.
Fix indirect member calculation 2011-06-14T15:34:11+00:00 Rob Crittenden rcritten@redhat.com 2011-06-13T18:54:42+00:00 c5d8618424de3766db9f104d0873c884b53a4feb Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket https://fedorahosted.org/freeipa/ticket/1273 
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.

So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.

I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.

This also prevents duplicate indirect users and looping on circular
membership.

ticket https://fedorahosted.org/freeipa/ticket/1273
Handle LDAP search references 2011-06-10T06:34:27+00:00 Martin Kosek mkosek@redhat.com 2011-06-01T16:04:24+00:00 6ee9480b7b52086edcda4a157754ebab2476b660 LDAP search operation may return a search reference pointing to an LDAP resource. As the framework does not handle search references, skip these results to prevent result processing failures. Migrate operation crashed when the migrated DS contained search references. Now, it correctly skips these records and prints the failed references to user. https://fedorahosted.org/freeipa/ticket/1209 
LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.

Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.

https://fedorahosted.org/freeipa/ticket/1209
Do a lazy retrieval of the LDAP schema rather than at module load. 2011-05-30T07:16:30+00:00 Rob Crittenden rcritten@redhat.com 2011-05-23T19:07:03+00:00 868d4e734ed0f22221f25a1067fbf57141b64c21 Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583 
Attempt to retrieve the schema the first time it is needed rather than
when Apache is started. A global copy is cached for future requests
for performance reasons.

The schema will be retrieved once per Apache child process.

ticket 583
Return copy of config from ipa_get_config() 2011-05-13T17:09:24+00:00 Jr Aquino jr.aquino@citrix.com 2011-05-12T21:59:22+00:00 756d61724e28663f9e8a4d30c01c169f66c739c0 It was discovered that using the batch plugin it was possible to store duplicate data in parts of the ipa_config during iterations. This was causing a cascading exec failures if any one of the batch executions failed. https://fedorahosted.org/freeipa/ticket/1220 
It was discovered that using the batch plugin it was possible to
store duplicate data in parts of the ipa_config during iterations.
This was causing a cascading exec failures if any one of the batch
executions failed.

https://fedorahosted.org/freeipa/ticket/1220
Optimize and dynamically verify group membership 2011-04-22T18:15:16+00:00 Jr Aquino jr.aquino@citrix.com 2011-04-20T18:16:48+00:00 cc0e6680b9d7d5fee85d683df2f46eff6f7ff2e3 Rather than doing full searches for members read each member individually to determine if it is direct or indirect. Also add a fail-safe when calculating indirect membership so removing a member will log enough information for debugging (ticket 1133). https://fedorahosted.org/freeipa/ticket/1139 https://fedorahosted.org/freeipa/ticket/1133 
Rather than doing full searches for members read each member individually
to determine if it is direct or indirect.

Also add a fail-safe when calculating indirect membership so removing
a member will log enough information for debugging (ticket 1133).

https://fedorahosted.org/freeipa/ticket/1139
https://fedorahosted.org/freeipa/ticket/1133