| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This reverts commit f7e27b547547be06f511a3ddfaff8db7d0b7898f.
This test was failing because we were adding a permission as a member
of a role before creating the permission, so no memberof was generated.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.
The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.
Now updates are computed and applied in blocks of 10.
https://fedorahosted.org/freeipa/ticket/3377
|
|
|
|
|
|
|
|
|
| |
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.
http://freeipa.org/page/V3/Backup_and_Restore
https://fedorahosted.org/freeipa/ticket/3128
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3503
|
|
|
|
|
|
|
|
|
| |
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.
https://fedorahosted.org/freeipa/ticket/3503
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3552
|
|
|
|
|
|
| |
A commonName attribute has no meaning in DNS records.
https://fedorahosted.org/freeipa/ticket/3514
|
|
|
|
| |
Refactoring of radio widget (04325fbb4c64ee4aef6d8c9adf0ff95b8b653101) caused that value is no longer supplied to value_change handler.
|
|
|
|
|
|
| |
When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding.
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
|
|
|
| |
As find_entry_by_attr no longer adds $SUFFIX to searched base DN,
trustconfig-mod could not find POSIX group to when validating the
new ipantfallbackprimarygroup value. This patch fixes this
regression.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added flag for each groups type: --posix, --nonposix, --external to group-find command.
Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup
https://fedorahosted.org/freeipa/ticket/3483
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3554
|
|
|
|
|
|
|
|
|
|
|
|
| |
Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set.
Can be reproduced by opening 'Modify Automount maps' permission.
The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong.
Fixed by running target_mapping action only for visible targets.
https://fedorahosted.org/freeipa/ticket/3527
|
|
|
|
|
|
|
| |
Find out Kerberos middle version to infer ABI changes in DAL driver.
We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
| |
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
|
|
|
|
|
|
|
|
|
|
| |
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
|
| |
|
|
|
|
|
|
|
|
|
| |
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
| |
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.
https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
|
| |
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
|
|
|
|
|
|
|
|
|
| |
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3536
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
|
|
|
|
| |
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/CA-less_install
https://fedorahosted.org/freeipa/ticket/3363
|
| |
|
|
|
|
|
| |
Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wrapper
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.
In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead, certificates in pkcs12 files can be given to set up
IPA with no CA at all.
Use a flag, setup_ca, to signal if a CA is being installed.
Design: http://freeipa.org/page/V3/Drop_selfsign
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
installation
We pass names of files with pkcs12 pins to installers which may continue to
use the files after the initial call to create_instance, at which point
the installer has already removed them.
Also, some of the files were not properly removed on failure.
Use ipautil.write_tmp_file for the pin files, which returns a
NamedTemporaryFile object that removes the underlying file when it is
garbage-collected.
Create the files at start of installation. This will allow checking
the pkcs#12 files before the system is modified.
|
|
|
|
|
|
|
|
|
|
| |
As described on http://www.freeipa.org/page/V3/MultipleTrustServers,
notice if FreeIPA server is a replica and adtrust agents contains members
corresponding to the cifs/ services from replication partners.
Only these servers will be advertised as SMB domain controllers
https://fedorahosted.org/freeipa/ticket/2189
|
|
|
|
|
|
|
|
|
| |
ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD']
New nesting feature of radios/checkboxes was used to handle mutual exclusivity between
['MS-PAC', 'PAD'], 'NONE' and ''.
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
|
|
|
|
|
| |
New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone.
checkbox_widget, checkboxes_widget, radio_widget were modified to use it.
Built as a prerequisite for:
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
|
|
|
|
|
|
| |
Certificate parsed out of sslget request to pki-ca was not always
properly formatted and it may still contain DOS line ending. Make
sure that the certificate is printed with correct line ending.
|
|
|
|
|
| |
Fedora 19 splitted /var/run and /run directories. Update mod_wsgi
configuration so that it generates its sockets in the right one.
|
|
|
|
|
|
|
|
|
| |
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
|
|
|
|
|
|
|
|
| |
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
|
|
|
| |
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
cluttering rpm update output
* Remove httpd_conf constant which was not used
https://fedorahosted.org/freeipa/ticket/3502
|
|
|
|
|
|
|
|
| |
cmocka is a more advanced unit test framework for C-code than the
currently used check framework. This patch adds configure checks and
makefile variables so that new unit tests can use cmocka.
Fixes https://fedorahosted.org/freeipa/ticket/3434
|
|
|
|
|
|
|
| |
Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.
https://fedorahosted.org/freeipa/ticket/3515
|