summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipa-adtrust-install: print list of needed SRV recordsSumit Bose2012-10-041-9/+13
| | | | | | | If --no-msdcs is given on the command line all needed SRV records will be printed. Fixes https://fedorahosted.org/freeipa/ticket/3019
* Avoid ldapmodify error messages during ipa-adtrust-installSumit Bose2012-10-041-13/+34
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3012
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-046-12/+43
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* ipasam: add fallback primary groupSumit Bose2012-10-041-7/+230
| | | | https://fedorahosted.org/freeipa/ticket/2955
* ipa-adtrust-install: replace print with self.print_msgSumit Bose2012-10-041-14/+14
| | | | https://fedorahosted.org/freeipa/ticket/3019
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-042-13/+97
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Removal of delegation-uris instruction from browser configPetr Vobornik2012-10-041-1/+0
| | | | | | Delegation is not needed since support of s4u2proxy mechanism. https://fedorahosted.org/freeipa/ticket/3094
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-0413-48/+550
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-046-2/+32
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extension makefilesPetr Vobornik2012-10-048-0/+111
| | | | | | Makefiles for new FF kerberos authentication extension ihttps://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extensionPetr Vobornik2012-10-046-0/+306
| | | | | | | | | | | | | | | | | | | The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later. How it works: Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'. 'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages. Possible enhancement: * add UI for manual edit * more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page) * introspection of client (read ipa client install config and such) Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046 [3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
* Support python-ldap 2.3 way of making LDAP controlAlexander Bokovoy2012-10-041-3/+11
| | | | | | | | This strange patch is to accomodate both python-ldap 2.3 and later versions. There was refactoring in python-ldap support for LDAP controls that split base class into two different, changing properties and method signatures. Luckily, we don't use any values passed to encodeControlValue.
* ipa-adtrust-install: remove wrong check for dm_passwordSumit Bose2012-10-041-4/+0
| | | | | | | Additionally this patch removes a comment which makes no sense at this place anymore. Fixes https://fedorahosted.org/freeipa/ticket/3023
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-032-1/+25
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Wait for secure Dogtag ports when starting the pki servicesPetr Viktorin2012-10-031-4/+4
| | | | | | | | Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-023-1/+102
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-033-6/+56
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Add --rid-base and --secondary-rid-base to ipa-adtrust-install man pageSumit Bose2012-10-031-0/+10
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3038
* Enhance description of --no-msdcs in man pageSumit Bose2012-10-031-1/+25
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2972
* Add man page paragraph about running ipa-adtrust-install multiple timesSumit Bose2012-10-031-0/+8
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2967
* Improve user addition to default group in user-addTomas Babej2012-10-032-1/+74
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
* Only use service PAC type as an overrideMartin Kosek2012-10-036-28/+70
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Do not produce unindexed search on every DEL commandMartin Kosek2012-10-013-1/+25
| | | | | | | | | | | | Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
* Index ipakrbprincipalalias and ipaautomountkey attributesMartin Kosek2012-10-012-0/+30
| | | | | | | | | | | | An unindexed search for ipakrbprincipalalias is fired for every ipa command (and other authentication events) which would degrade IPA server performance if not indexed. ipaautomountkey unindexed searches are hit when new key entries are being added. Add both indexes to new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/3020 https://fedorahosted.org/freeipa/ticket/3025
* Improve DN usage in ipa-client-installMartin Kosek2012-10-023-64/+119
| | | | | | | | | | | | | | | | | | | | | A hotfix pushed in a scope of ticket 3088 forced conversion of DN object (baseDN) in IPA client discovery so that ipa-client-install does not crash when creating an IPA default.conf. Since this is not a preferred way to handle DN objects, improve its usage: - make sure, that baseDN retrieved by client discovery is always a DN object - update ipachangeconf.py code to handle strings better and instead of concatenating objects, make sure they are converted to string first As a side-effect of ipachangeconf changes, default.conf config file generated by ipa-client-install has no longer empty new line at the end of a file. Whole ipachangeconf.py has been modified to be compliant with PEP8. https://fedorahosted.org/freeipa/ticket/3088
* Add support for unified samba packagesMartin Kosek2012-10-011-1/+17
| | | | | | | | | | Fedora 18 and later has moved unified samba and samba4 packages. Update Requires and BuildRequires in spec file to require correct versions. Also require libwbclient-devel which now provides libwbclient.h instead of samba4-devel package. https://fedorahosted.org/freeipa/ticket/3118
* Improve StrEnum validation error messageMartin Kosek2012-10-012-7/+33
| | | | | | | | Do not print list of possible values as "%r" but simply as a list of quoted values which should make it easier to read for users. Also add a special case when there is just one allowed value. https://fedorahosted.org/freeipa/ticket/2869
* Fix NS records in installationPetr Viktorin2012-09-272-1/+6
| | | | | | | | Our installation added two final dots to the NS records, so the records were invalid, Bind ignored the entire zone, and name resolution didn't work. Fix this error and add a check for empty DNS labels to the validator
* Don't use bare except: clauses in ipa-client-installPetr Viktorin2012-09-271-13/+13
| | | | | | | | Instead of `except:`, use `except Exception:`. This means that errors like KeyboardInterrupt are not handled, letting them terminate the script as expected. https://fedorahosted.org/freeipa/ticket/2941
* Change the way SID comparison is done for belonging to trusted domainAlexander Bokovoy2012-09-271-16/+12
| | | | Fixes trust use on RHEL 6.
* Validate SELinux users in config-modMartin Kosek2012-09-272-24/+69
| | | | | | | | config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-264-70/+33
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Fix python syntax in ipa-client-automountRob Crittenden2012-09-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3081
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-242-2/+11
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Check direct/reverse hostname/address resolution in ipa-replica-installPetr Viktorin2012-09-201-19/+141
| | | | | | | | | | | | | Forward and reverse resolution of the newly created replica is already checked via get_host_name (which calls verify_fqdn). Add the same check for the existing master. Additionally, if DNS is installed on the remote host, check forward and reverse resolution of both replicas using that DNS only (ignoring /etc/hosts). These checks give only warnings and, in interactive installs, a "Continue?" prompt. https://fedorahosted.org/freeipa/ticket/2845
* Update krb5.conf during ipa-adtrust-installSumit Bose2012-09-191-0/+62
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-195-3/+8
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Improves sssd.conf handling during ipa-client uninstallTomas Babej2012-09-202-17/+110
| | | | | | | | | | | | | | | | | | | | | | | The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Use correct Dogtag port in ipaserver.install.certsPetr Viktorin2012-09-201-2/+2
| | | | | On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong port number. Fix that.
* SSHPublicKey.fingerprint_dns_sha1 should return unicode value.Jan Cholasta2012-09-201-1/+1
|
* Fix idrange plugin helpMartin Kosek2012-09-201-4/+4
| | | | | range plugin was renamed to idrange. Update plugin help to reflect this change.
* Use default reverse zone consistentlyMartin Kosek2012-09-197-31/+78
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Fix integer validation when boundary value is empty stringPetr Vobornik2012-09-197-3/+171
| | | | | | There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases. https://fedorahosted.org/freeipa/ticket/3066
* Show trust status in add success notificationPetr Vobornik2012-09-173-6/+29
| | | | | | Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763
* Add verification of the AD trustAlexander Bokovoy2012-09-172-8/+35
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
generated by cgit (git 2.34.1) at 2024-06-17 12:02:26 +0000