freeipa.git/ipaserver/plugins, branch master FreeIPA project Fix has_upg() to work with relocated managed entries configuration. 2011-10-13T19:38:03+00:00 Rob Crittenden rcritten@redhat.com 2011-10-13T17:07:49+00:00 197b1acfe4ca40fe9570231d4c74db2ce1048ca6 https://fedorahosted.org/freeipa/ticket/1964 
https://fedorahosted.org/freeipa/ticket/1964
Optimize member/memberof searches in LDAP 2011-10-12T10:31:16+00:00 Martin Kosek mkosek@redhat.com 2011-10-12T07:36:24+00:00 e5389ffd5193fcb7edf3b0c5fa887e46cff986fe When investigating if member/memberof attribute is direct/indirect we do a lot of LDAP SCOPE_SUBTREE searches when we actually search just for one item. Make sure we search only with SCOPE_BASE to improve the performance. One not so efficient iteration was also changed to list comprehension to speed things up a tiny bit. https://fedorahosted.org/freeipa/ticket/1885 
When investigating if member/memberof attribute is direct/indirect
we do a lot of LDAP SCOPE_SUBTREE searches when we actually search
just for one item. Make sure we search only with SCOPE_BASE to improve
the performance.

One not so efficient iteration was also changed to list comprehension
to speed things up a tiny bit.

https://fedorahosted.org/freeipa/ticket/1885
Improve default user/group object class validation 2011-10-11T12:49:36+00:00 Martin Kosek mkosek@redhat.com 2011-10-11T08:26:21+00:00 88e693a1a5b95e9da94b927a0b827b3a0e39b7b7 When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893
When calculating indirect membership don't test nesting on users and hosts. 2011-10-06T21:06:14+00:00 Rob Crittenden rcritten@redhat.com 2011-10-05T14:37:05+00:00 03c8a34cb3b7a635e5a853c648cafe5ea9f9a126 Members are dereferenced when calculating indirect membership. We don't need to check hosts and users for members. This significantly reduces the number of queries required for large groups. https://fedorahosted.org/freeipa/ticket/1885 
Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.

This significantly reduces the number of queries required for large groups.

https://fedorahosted.org/freeipa/ticket/1885
Require current password when using passwd to change your own password. 2011-10-04T13:16:15+00:00 Rob Crittenden rcritten@redhat.com 2011-09-16T19:08:17+00:00 bd227b356280f54f48bc01901275833a51f87fd7 Add a new required parameter, current_password. In order to ask this first I added a new parameter option, sortorder. The lower the value the earlier it will be prompted for. I also changed the way autofill works. It will attempt to get the default and if it doesn't get anything will continue prompting interactively. Since current_password is required I'm passing a magic value that means changing someone else's password. We need to pass something since current_password is required. The python-ldap passwd command doesn't seem to use the old password at all so I do a simple bind to validate it. https://fedorahosted.org/freeipa/ticket/1808 
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808
enable proxy for dogtag 2011-08-29T21:54:49+00:00 Adam Young ayoung@redhat.com 2011-08-17T19:36:18+00:00 5ee93349f6700d024fa4db68c960951d9964504b Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com> 
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
Filter reverse zones in dnszone-find 2011-07-13T13:06:13+00:00 Martin Kosek mkosek@redhat.com 2011-07-13T12:01:17+00:00 0cb65fd9f6865d606625ddb16206090779462c1f Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
find_entry_by_attr() should fail if multiple entries are found 2011-07-11T22:45:49+00:00 Rob Crittenden rcritten@redhat.com 2011-07-05T17:36:48+00:00 d9627ab1651f4ab00c3734cc5bd69b051f79f92b It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388 
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).

https://fedorahosted.org/freeipa/ticket/1388
Convert Bool to TRUE/FALSE when working with LDAP backend https://fedorahosted.org/freeipa/ticket/1259 2011-06-28T03:03:23+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-06-27T12:08:13+00:00 716a25a784b4257ef4928afc18b6cebdb7d15e54 According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE. This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values and enforces TRUE or FALSE string for account locking. 
According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE.
This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values
and enforces TRUE or FALSE string for account locking.
Let the framework be able to override the hostname. 2011-06-23T06:11:34+00:00 Rob Crittenden rcritten@redhat.com 2011-06-23T06:06:49+00:00 8810758c11df8afb5fb7ddf97a71c55a431edfd2 The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052 
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052