summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Fix permission_find test error"Rob Crittenden2013-04-121-0/+1
| | | | | | | This reverts commit f7e27b547547be06f511a3ddfaff8db7d0b7898f. This test was failing because we were adding a permission as a member of a role before creating the permission, so no memberof was generated.
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-125-8/+49
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Full system backup and restoreRob Crittenden2013-04-1212-133/+1648
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Add missing summary message to dnszone_delAna Krivokapic2013-04-112-4/+6
| | | | https://fedorahosted.org/freeipa/ticket/3503
* Fix output for some CLI commandsAna Krivokapic2013-04-115-19/+21
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-102-1/+2
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Fix regression in group type selection in group adder dialogPetr Vobornik2013-04-101-4/+3
| | | | Refactoring of radio widget (04325fbb4c64ee4aef6d8c9adf0ff95b8b653101) caused that value is no longer supplied to value_change handler.
* Don't show trusts pages when trust is not configuredPetr Vobornik2013-04-103-2/+49
| | | | | | When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding. https://fedorahosted.org/freeipa/ticket/3333
* Global trust config pagePetr Vobornik2013-04-107-3/+259
| | | | https://fedorahosted.org/freeipa/ticket/3333
* Fix trustconfig-mod primary group errorMartin Kosek2013-04-101-1/+1
| | | | | | | As find_entry_by_attr no longer adds $SUFFIX to searched base DN, trustconfig-mod could not find POSIX group to when validating the new ipantfallbackprimarygroup value. This patch fixes this regression.
* Fix two failing tests due to missing krb ticket flagsRob Crittenden2013-04-091-0/+4
|
* Filter groups by type (POSIX, non-POSIX, external)Petr Vobornik2013-04-095-3/+151
| | | | | | | | | | | Added flag for each groups type: --posix, --nonposix, --external to group-find command. Group types: * non-POSIX: not posix, not external * POSIX: with objectclass posixgroup * external: with objectclass ipaexternalgroup https://fedorahosted.org/freeipa/ticket/3483
* Do actually stop pki_cad in stop_pkicad instead of starting it.Jan Cholasta2013-04-091-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3554
* Run permission target switch action only for visible widgetsPetr Vobornik2013-04-051-1/+1
| | | | | | | | | | | | Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set. Can be reproduced by opening 'Modify Automount maps' permission. The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong. Fixed by running target_mapping action only for visible targets. https://fedorahosted.org/freeipa/ticket/3527
* spec: detect Kerberos DAL driver ABI change from installed krb5-develAlexander Bokovoy2013-04-041-2/+10
| | | | | | | Find out Kerberos middle version to infer ABI changes in DAL driver. We cannot load DAL driver into KDC with wrong ABI. This is also needed to support ipa-devel repository where krb5 1.11 is available for Fedora 18.
* Add ipakrbokasdelegate option to service and host Web UI pagesPetr Vobornik2013-04-048-5/+45
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* Display full command documentation in online helpPetr Viktorin2013-04-032-1/+28
| | | | | | | | | | ipa <command> -h only showed the summary string, not the full help. Use the full docstring. Add a custom help formatter that disables optparse's reformatting. Test included https://fedorahosted.org/freeipa/ticket/3543
* Become 3.2.0 Prerelease 1Martin Kosek2013-04-021-3/+3
|
* Improve DNAME record validationMartin Kosek2013-04-022-12/+102
| | | | | | | | | Extend DNS RR conflict check and forbid DNAME+NS combination unless it is done in root DNS zone record. Add tests to verify this enforced check. https://fedorahosted.org/freeipa/ticket/3449
* Improve CNAME record validationMartin Kosek2013-04-022-40/+41
| | | | | | | | | | | Refactor DNS RR conflict validator so that it is better extensible in the future. Also check that there is only one CNAME defined for a DNS record. PTR+CNAME record combination is no longer allowed as we found out it does not make sense to have this combination. https://fedorahosted.org/freeipa/ticket/3450
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-022-2/+4
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Require 389-base-base 1.3.0.5Martin Kosek2013-04-021-1/+8
| | | | | | | | | Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540
* Properly handle ipa-replica-install when its zone is not managed by IPATomas Babej2013-04-021-6/+16
| | | | | | | | | The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Web UI: Disable cert functionality if a CA is not availablePetr Vobornik2013-04-021-11/+13
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* ipa-client-install: Do not request host certificate if server is CA-lessPetr Viktorin2013-04-021-10/+37
| | | | https://fedorahosted.org/freeipa/ticket/3536
* Do not call cert-* commands in host plugin if a RA is not availablePetr Viktorin2013-04-021-76/+87
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-026-15/+32
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-027-31/+217
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-022-12/+22
|
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
* Remove unused ipapython.certdb.CertDB classPetr Viktorin2013-04-021-127/+0
|
* ipa-server-install: Remove the --selfsign optionPetr Viktorin2013-04-022-44/+33
| | | | | | | | | Instead, certificates in pkcs12 files can be given to set up IPA with no CA at all. Use a flag, setup_ca, to signal if a CA is being installed. Design: http://freeipa.org/page/V3/Drop_selfsign Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* ipa-server-install: Make temporary pin files available for the whole ↵Petr Viktorin2013-04-021-37/+21
| | | | | | | | | | | | | | | installation We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
* Enhance ipa-adtrust-install for domains with multiple IPA serverAlexander Bokovoy2013-04-021-8/+36
| | | | | | | | | | As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. Only these servers will be advertised as SMB domain controllers https://fedorahosted.org/freeipa/ticket/2189
* Added Web UI support for service PAC type option: NONEPetr Vobornik2013-03-293-3/+39
| | | | | | | | | ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD'] New nesting feature of radios/checkboxes was used to handle mutual exclusivity between ['MS-PAC', 'PAD'], 'NONE' and ''. https://fedorahosted.org/freeipa/ticket/3404
* Nestable checkbox/radio widgetPetr Vobornik2013-03-294-143/+390
| | | | | | | | | New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone. checkbox_widget, checkboxes_widget, radio_widget were modified to use it. Built as a prerequisite for: https://fedorahosted.org/freeipa/ticket/3404
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-297-15/+207
| | | | https://fedorahosted.org/freeipa/ticket/3329
* ipasam: add enumeration of UPN suffixes based on the realm domainsAlexander Bokovoy2013-03-292-11/+191
| | | | | | | | | | | | | | | | PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848
* Normalize RA agent certificateMartin Kosek2013-03-291-1/+4
| | | | | | Certificate parsed out of sslget request to pki-ca was not always properly formatted and it may still contain DOS line ending. Make sure that the certificate is printed with correct line ending.
* Update mod_wsgi socket directoryMartin Kosek2013-03-291-2/+2
| | | | | Fedora 19 splitted /var/run and /run directories. Update mod_wsgi configuration so that it generates its sockets in the right one.
* Put pid-file to named.confMartin Kosek2013-03-292-1/+45
| | | | | | | | | Fedora 19 has splitted /var/run and /run directories while in Fedora 18 it used to be a symlink. Thus, named may expect its PID file to be in other direct than it really is and fail to start. Add pid-file configuration option to named.conf both for new installations and for upgraded machines.
* Remove syslog.target from ipa.serverMartin Kosek2013-03-292-3/+5
| | | | | | | | This required target is no longer needed as systemd from version 38 has its own journal which is also in the basic set of service unit requirementes. https://fedorahosted.org/freeipa/ticket/3511
* Remove build warningsMartin Kosek2013-03-2916-31/+31
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Clean spec file for Fedora 19Martin Kosek2013-03-291-5/+21
| | | | | | | | | | | This patch includes several cleanups needed for Fedora 19 build: * ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains an updated DAL interface. Remove the conflict from spec file. * Fix ipa-ldap-updater call to produce errors only to avoid cluttering rpm update output * Remove httpd_conf constant which was not used https://fedorahosted.org/freeipa/ticket/3502
* Add support for cmocka C-Unit Test frameworkSumit Bose2013-03-281-0/+31
| | | | | | | | cmocka is a more advanced unit test framework for C-code than the currently used check framework. This patch adds configure checks and makefile variables so that new unit tests can use cmocka. Fixes https://fedorahosted.org/freeipa/ticket/3434
* Add mkhomedir option to ipa-server-install and ipa-replica-installAna Krivokapic2013-03-284-0/+22
| | | | | | | Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515
generated by cgit (git 2.34.1) at 2024-09-29 19:24:52 +0000