freeipa.git/ipaserver, branch adwork

Ensure that winbind service is also started when ipa-adtrust-install is run

2012-06-27T14:13:42+00:00

Add support for external group members

2012-06-27T14:13:42+00:00

When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664

Set RID bases for local domain during ipa-adtrust-install

2012-06-26T07:04:23+00:00

Add objects for initial ID range

2012-06-26T07:04:08+00:00

Add sidgen postop and task

2012-06-26T07:03:21+00:00

A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825

Add external domain extop DS plugin

2012-06-26T06:56:42+00:00

This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.

restart dirsrv as part of ipa-adtrust-install

2012-06-22T06:45:55+00:00

We should restart Directory Server when performing AD trusts configuration
to enable new CLDAP plugin and force KDC to notice MS PAC is now available.
Previously we only restarted KDC but if dirsrv is restarted, KDC will notice
its socket disappeared and will refresh itself

http://fedorahosted.org/freeipa/ticket/2862

Store session cookie in ccache for cli users

2012-06-14T12:02:26+00:00

Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331

Password change capability for form-based auth

2012-06-12T03:07:03+00:00

IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.

This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.

The actual password change in the script is processed by LDAP
password change command.

Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
  X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
  (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text

https://fedorahosted.org/freeipa/ticket/2276

Only set sebools when necessary

2012-06-11T01:23:23+00:00

setsebool -P was run for every package upgrade or server
installation even though the sebools were already set to the new
value.

Only set sebools which are different from current system values.
This speeds up ipa-upgradeconfig or package update by 150 seconds.