summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* client referral support for trusted domain principals4-2-trust-fixesAlexander Bokovoy2015-09-033-0/+123
| | | | https://fedorahosted.org/freeipa/ticket/3559
* Use %license instead of %doc for packaging the licenseRob Crittenden2015-08-311-5/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/5227 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert renewal: Automatically update KRA agent PEM fileJan Cholasta2015-08-271-1/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/5253 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert renewal: Include KRA users in Dogtag LDAP updateJan Cholasta2015-08-271-4/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5253 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix user tracker to reflect new user-del messageLenka Doudova2015-08-271-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipactl: Do not start/stop/restart single service multiple timesDavid Kupka2015-08-261-1/+16
| | | | | | | | | In case multiple services are provided by single system daemon it is not needed to start/stop/restart it mutiple time. https://fedorahosted.org/freeipa/ticket/5248 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: Limit size of data stored in vaultDavid Kupka2015-08-261-1/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/5231 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: fix vault tests after default type changePetr Vobornik2015-08-261-2/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5251 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: prevent rename (modrdn)Fraser Tweedale2015-08-261-2/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/5247 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Removed clear text passwords from KRA install log.Endi S. Dewata2015-08-262-8/+10
| | | | | | | | | | The ipa-kra-install tool has been modified to use password files instead of clear text passwords when invoking pki tool such that the passwords are no longer visible in ipaserver-kra-install.log. https://fedorahosted.org/freeipa/ticket/5246 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* webui: add option to establish bidirectional trustPetr Vobornik2015-08-261-1/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5259 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* fix missing information in object metadataPetr Vobornik2015-08-261-3/+14
| | | | | | | | | | | Missing 'required' values in takes_params causes Web UI to treat required fields as optional. Regression caused by ba0a1c6b33e2519a48754602413c8379fb1f0ff1 https://fedorahosted.org/freeipa/ticket/5258 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: change default vault type to symmetricPetr Vobornik2015-08-263-9/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5251 Reviewed-By: Martin Basti <mbasti@redhat.com>
* spec file: Add Requires(post) on selinux-policyJan Cholasta2015-08-261-1/+1
| | | | | | | | | | This prevents ipa-server-upgrade failures on SELinux AVCs because of old selinux-policy version. https://fedorahosted.org/freeipa/ticket/5256 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Added support for changing vault encryption.Endi S. Dewata2015-08-254-15/+498
| | | | | | | | | | | | The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchiving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: fix forward zone forwarders checksMartin Basti2015-08-251-6/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5179 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Automated test for stageuser pluginLenka Doudova2015-08-253-6/+1421
| | | | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3813 Test plan: http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* improve the usability of `ipa user-del --preserve` commandMartin Babinsky2015-08-251-57/+66
| | | | | | | | | | | | | | | `ipa user-del` with `--preserve` option will now process multiple entries and handle `--continue` option in a manner analogous to `ipa user-del` in normal mode. In addition, it is now no longer possible to permanently delete a user by accidentally running `ipa user-del --preserve` twice. https://fedorahosted.org/freeipa/ticket/5234 https://fedorahosted.org/freeipa/ticket/5236 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Change internal rsa_(public|private)_key variable namesChristian Heimes2015-08-241-4/+4
| | | | | | | | | | In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Temporary fix for ticket 5240Oleg Fayans2015-08-241-2/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added a user-friendly output to an import errorOleg Fayans2015-08-241-1/+5
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* trusts: format Kerberos principal properly when fetching trust topologyAlexander Bokovoy2015-08-241-1/+6
| | | | | | | | | | | | | | | | | | For bidirectional trust if we have AD administrator credentials, we should be using them with Kerberos authentication. If we don't have AD administrator credentials, we should be using HTTP/ipa.master@IPA.REALM credentials. This means we should ask formatting 'creds' object in Kerberos style. For one-way trust we'll be fetching trust topology as TDO object, authenticating with pre-created Kerberos credentials cache, so in all cases we do use Kerberos authentication to talk to Active Directory domain controllers over cross-forest trust link. Part of trust refactoring series. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Fixes: https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add user-stage commandMartin Basti2015-08-214-39/+70
| | | | | | | | | | | | | | This patch replaces 'stageuser-add --from-delete' with new command user-stage. Original way always required to specify first and last name, and overall combination of options was hard to manage. The new command requires only login of deleted user (user-del --preserve). https://fedorahosted.org/freeipa/ticket/5041 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Take otptoken import test out of executionMilan KubĂ­k2015-08-201-0/+2
| | | | | | | | | | | | The issue reported in ticket [1] hasn't been solved yet. This patch prevents the test cases for OTP import being run. The change is intended as a *temporary* workaround until proper fix for the issue is introduced. [1] https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add flag to list all service and user vaultsChristian Heimes2015-08-193-18/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The vault-find plugin has two additional arguments to list all service vaults or user vaults. Since the name of a vault is only unique for a particular user or service, the commands also print the vault user or vault service. The virtual attributes were added in rev 01dd951ddc0181b559eb3dd5ff0336c81e245628. Example: $ ipa vault-find --users ---------------- 2 vaults matched ---------------- Vault name: myvault Type: standard Vault user: admin Vault name: UserVault Type: standard Vault user: admin ---------------------------- Number of entries returned 2 ---------------------------- $ ipa vault-find --services ---------------- 2 vaults matched ---------------- Vault name: myvault Type: standard Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL Vault name: myvault Type: standard Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL ---------------------------- Number of entries returned 2 ---------------------------- https://fedorahosted.org/freeipa/ticket/5150 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Backup/resore authentication control configurationDavid Kupka2015-08-195-0/+37
| | | | | | https://fedorahosted.org/freeipa/ticket/5071 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* client: Add description of --ip-address and --all-ip-addresses to man pageDavid Kupka2015-08-191-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert-request: remove allowed extensions checkFraser Tweedale2015-08-191-19/+3
| | | | | | | | | | | | | | | cert-request currently permits a limited number of request extensions; uncommon and esoteric extensions are prohibited and this limits the usefulness of custom profiles. The Dogtag profile has total control over what goes into the final certificate and has the option to reject request based on the request extensions present or their values, so there is little reason to restrict what extensions can be used in FreeIPA. Remove the check. Fixes: https://fedorahosted.org/freeipa/ticket/5205 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Server Upgrade: Start DS before CA is started.Martin Basti2015-08-191-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add dependency to SSSD 1.13.1Martin Basti2015-08-191-2/+2
| | | | | | | | | SSSD 1.13.1 has required functionality tu support duslstack and multihomed https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: Add container information to vault command resultsJan Cholasta2015-08-191-0/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/5150 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: Fix vault-find with criteriaJan Cholasta2015-08-191-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5212 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* client: Add support for multiple IP addresses during installation.David Kupka2015-08-181-66/+223
| | | | | | https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Martin Basti <mbasti@redhat.com>
* improve the handling of krb5-related errors in dnssec daemonsMartin Babinsky2015-08-183-4/+20
| | | | | | | | | ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Prohibit deletion of predefined profilesFraser Tweedale2015-08-182-5/+16
| | | | | | | | | | | Deletion of predefined profiles, including the default profile, should not be allowed. Detect this case and raise an error. Also update the predefined profiles collection to use namedtuple, making it easier to access the various components. Fixes: https://fedorahosted.org/freeipa/ticket/5198 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* user-undel: Fix error messages.David Kupka2015-08-181-7/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5207 Reviewed-By: Martin Basti <mbasti@redhat.com>
* trusts: harden trust-fetch-domains oddjobd-based scriptAlexander Bokovoy2015-08-182-5/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When ipa-getkeytab is used to fetch trusted domain object credentials, the fetched entry has always kvno 1. ipa-getkeytab always adds a key to keytab which means older key versions will be in the SSSD keytab and will confuse libkrb5 ccache initialization code as all kvno values are equal to 1. Wrong key is picked up then and kinit fails. To solve this problem, always remove existing /var/lib/sss/keytabs/forest.keytab before retrieving a new one. To make sure script's input cannot be used to define what should be removed (by passing a relative path), make sure we retrieve trusted forest name from LDAP. If it is not possible to retrieve, the script will issue an exception and quit. If abrtd is running, this will be recorded as a 'crash' and an attempt to use script by malicious user would be recorded as well in the abrtd journal. Additionally, as com.redhat.idm.trust-fetch-domains will create ID ranges for the domains of the trusted forest if they don't exist, it needs permissions to do so. The permission should be granted only to cifs/ipa.master@IPA.REALM services which means they must have krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of cn=adtrust agents,cn=sysaccounts,... group. Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Ticket https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: Fix replica install with custom certificatesJan Cholasta2015-08-181-8/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5226 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-restore: check whether DS is running before attempting connectionMartin Babinsky2015-08-181-0/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4838 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* vault: validate vault typePetr Vobornik2015-08-183-7/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5211 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: normalize service principal in service vault operationsPetr Vobornik2015-08-181-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5233 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fixed vault container ownership.Endi S. Dewata2015-08-181-3/+24
| | | | | | | | | | The vault-add command has been fixed such that if the user/service private vault container does not exist yet it will be created and owned by the user/service instead of the vault creator. https://fedorahosted.org/freeipa/ticket/5194 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: Fix param labels in output of vault owner commandsJan Cholasta2015-08-181-0/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* baseldap: Allow overriding member param label in LDAPModMemberJan Cholasta2015-08-181-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-backup: archive DNSSEC zone file and kasp.dbMartin Babinsky2015-08-171-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5159 Reviewed-By: Martin Basti <mbasti@redhat.com>
* fix typo in BasePathNamespace member pointing to ods exporter configMartin Babinsky2015-08-173-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* winsync-migrate: Expand the man pageTomas Babej2015-08-171-1/+26
| | | | | | https://fedorahosted.org/freeipa/ticket/5162 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add warning about passsyncTomas Babej2015-08-171-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5162 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Detect missing Samba instanceTomas Babej2015-08-171-20/+79
| | | | | | | | | | | | | | | | | | | | | In the event of invocation of trust related commands, IPA server needs to contact local Samba instance. This is not possible on servers that merely act as AD trust agents, since they do not have Samba instance running. Properly detect the absence of the Samba instance and output user-friendly message which includes list of servers that are capable of running the command, if such exist. List of commands affected: * ipa trust-add * ipa trust-fetch-domains * all of the trustdomain commands available via CLI https://fedorahosted.org/freeipa/ticket/5165 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Detect domain clash with IPA domain when adding a AD trustTomas Babej2015-08-171-0/+8
| | | | | | | | | | | | | | | | | | When IPA is deployed in the same domain as AD, trust-add fails since the names of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID. Detect such domain collisions early and bail out with an appropriate error message. https://fedorahosted.org/freeipa/ticket/4549 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-26 04:43:54 +0000