summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use TLS for CA replicationRob Crittenden2012-10-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3162
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Add instructions support to PublicErrorAlexander Bokovoy2012-10-112-9/+29
| | | | | | | | | | | | | | | When long additional text should follow the error message, one can supply instructions parameter to a class derived from PublicError. This will cause following text added to the error message: Additional instructions: <additional text> `instructions' optional parameter could be a list or anything that coerces into unicode(). List entries will be joined with '\n'. https://fedorahosted.org/freeipa/ticket/3167
* Pull translation files from TransifexPetr Viktorin2012-10-1114-2862/+4444
| | | | | | | Patch generated by: cd install/po make pull-po make update-po
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-105-0/+104
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Do not show full SSH public keys in command output by default.Jan Cholasta2012-10-111-3/+3
|
* Use stricter requirement for krb5-serverSimo Sorce2012-10-101-0/+1
| | | | | | | | Our code strictly depends on 1.10 as the KDC DAL plugin interface is not guaranteed stable and indeed is different in 1.9 and will be different in 1.11 So we cannot allow upgrades to 1.11 until we can provide a plugin that matches 1.11's interface.
* Make sure samba{,4}-winbind-krb5-locator package is not used with trustsAlexander Bokovoy2012-10-091-0/+31
| | | | | | | | Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, use alternatives mechanism to turn off the locator plugin by symlinking it to /dev/null. https://fedorahosted.org/freeipa/ticket/3102
* Configure the initial CA as the CRL generator.Rob Crittenden2012-10-093-3/+30
| | | | | | | | Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-105-24/+74
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* replica-install: Don't copy Firefox config extension files if they're not in ↵Petr Viktorin2012-10-101-2/+6
| | | | | | | | the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux functionPetr Viktorin2012-10-101-8/+0
| | | | This function was never called from anywhere.
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-095-24/+42
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Notify user about necessary ports in ipa-client-installTomas Babej2012-10-092-2/+19
| | | | | | | | | | | | Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
* Fix CS replication management.Rob Crittenden2012-10-092-23/+57
| | | | | | | | | | | | | | | | | The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-102-16/+31
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Set renewal time for the CA audit certificate to 720 days.Rob Crittenden2012-10-092-7/+47
| | | | | | | | The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-083-0/+35
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-097-24/+146
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
* Add mime type to httpd ipa.conf for xpi exetensionPetr Vobornik2012-10-091-1/+2
| | | | | | Some configuration doesn't give proper mime type to xpi files. This patch explicitly sets it. https://fedorahosted.org/freeipa/ticket/3094
* Minor fixes for default SMB groupMartin Kosek2012-10-093-4/+4
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* Fix trust attributes for ipa trust-addSimo Sorce2012-10-091-1/+1
| | | | | The RC4 flags in the trust attributes makes sense only fro trust type MIT We are using the UPLEVEL trust type.
* ipadb: reload trust information if domain is not knownSumit Bose2012-10-091-1/+39
| | | | | | | | | | Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-093-30/+20
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* support multi-line error messages in exceptionsAlexander Bokovoy2012-10-093-10/+42
|
* ipasam: generate proper SID for trusted domain objectSumit Bose2012-10-041-8/+49
|
* Add new ipaIDobject to DNA plugin configuratonSumit Bose2012-10-042-1/+6
|
* ipa-adtrust-install: print list of needed SRV recordsSumit Bose2012-10-041-9/+13
| | | | | | | If --no-msdcs is given on the command line all needed SRV records will be printed. Fixes https://fedorahosted.org/freeipa/ticket/3019
* Avoid ldapmodify error messages during ipa-adtrust-installSumit Bose2012-10-041-13/+34
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3012
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-046-12/+43
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* ipasam: add fallback primary groupSumit Bose2012-10-041-7/+230
| | | | https://fedorahosted.org/freeipa/ticket/2955
* ipa-adtrust-install: replace print with self.print_msgSumit Bose2012-10-041-14/+14
| | | | https://fedorahosted.org/freeipa/ticket/3019
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-042-13/+97
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Removal of delegation-uris instruction from browser configPetr Vobornik2012-10-041-1/+0
| | | | | | Delegation is not needed since support of s4u2proxy mechanism. https://fedorahosted.org/freeipa/ticket/3094
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-0413-48/+550
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-046-2/+32
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extension makefilesPetr Vobornik2012-10-048-0/+111
| | | | | | Makefiles for new FF kerberos authentication extension ihttps://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extensionPetr Vobornik2012-10-046-0/+306
| | | | | | | | | | | | | | | | | | | The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later. How it works: Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'. 'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages. Possible enhancement: * add UI for manual edit * more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page) * introspection of client (read ipa client install config and such) Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046 [3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
* Support python-ldap 2.3 way of making LDAP controlAlexander Bokovoy2012-10-041-3/+11
| | | | | | | | This strange patch is to accomodate both python-ldap 2.3 and later versions. There was refactoring in python-ldap support for LDAP controls that split base class into two different, changing properties and method signatures. Luckily, we don't use any values passed to encodeControlValue.
* ipa-adtrust-install: remove wrong check for dm_passwordSumit Bose2012-10-041-4/+0
| | | | | | | Additionally this patch removes a comment which makes no sense at this place anymore. Fixes https://fedorahosted.org/freeipa/ticket/3023
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-032-1/+25
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Wait for secure Dogtag ports when starting the pki servicesPetr Viktorin2012-10-031-4/+4
| | | | | | | | Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-023-1/+102
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-033-6/+56
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Add --rid-base and --secondary-rid-base to ipa-adtrust-install man pageSumit Bose2012-10-031-0/+10
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3038
* Enhance description of --no-msdcs in man pageSumit Bose2012-10-031-1/+25
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2972
* Add man page paragraph about running ipa-adtrust-install multiple timesSumit Bose2012-10-031-0/+8
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2967
* Improve user addition to default group in user-addTomas Babej2012-10-032-1/+74
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
generated by cgit (git 2.34.1) at 2024-06-22 06:07:51 +0000