summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add mkhomedir option to ipa-server-install and ipa-replica-installAna Krivokapic2013-03-284-0/+22
| | | | | | | Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515
* Bump selinux-policy requiresMartin Kosek2013-03-261-1/+4
| | | | | | The higher version is reported to fix a Fedora 17 to 18 upgrade issue. https://fedorahosted.org/freeipa/ticket/3399
* Add logging to join commandTomas Babej2013-03-251-6/+20
| | | | | | | | | The following is mentioned in the log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481
* Allow host re-enrollment using delegationTomas Babej2013-03-252-1/+9
| | | | | | | | | | A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
* Fix structured DNS record outputMartin Kosek2013-03-222-0/+30
| | | | | | | | | | | | | Recent LDAP refactoring replaced entry_attrs regular dict with normalized keys (i.e. lowercase) with LDAPEntry instance which keys may not be normalized. This broke CND command output when --structured and --all options were used. Force lowercase normalization of the LDAPEntry keys in DNS plugin structured format postprocessing. Also add a missing test for DNS record structured output. https://fedorahosted.org/freeipa/ticket/3526
* Use default NETBIOS name in unattended ipa-adtrust-installAna Krivokapic2013-03-221-1/+4
| | | | | | | | Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-224-0/+43
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Add 389 DS plugin for special idnsSOASerial attribute handlingPetr Spacek2013-03-225-0/+255
| | | | | | | | | Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com>
* Fix lockout of LDAP bind.Rob Crittenden2013-03-211-91/+158
| | | | | | | | | | | | | | | | | | There were several problems: - A cut-n-paste error where the wrong value was being considered when an account was administratively unlocked. - An off-by-one error where LDAP got one extra bind attempt. - krbPwdPolicyReference wasn't being retrieved as a virtual attribute so only the global_policy was used. - The lockout duration wasn't examined in the context of too many failed logins so wasn't being applied properly. - Lockout duration wasn't used properly so a user was effectively unlocked when the failure interval expired. - krbLastFailedAuth and krbLoginFailedCount are no longer updated past max failures. https://fedorahosted.org/freeipa/ticket/3433
* Process exceptions when talking to DogtagAlexander Bokovoy2013-03-211-1/+4
| | | | | | | | | | The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492
* Improve client install LDAP cert retrieval fallbackMartin Kosek2013-03-211-1/+1
| | | | | | | | CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512
* Use temporary CCACHE in ipa-client-installMartin Kosek2013-03-211-0/+7
| | | | | | | | ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512
* Add DNS Setup Prompt to InstallBrian Cook2013-03-211-0/+5
| | | | | | | | | Currently the only way to setup integrated DNS is by passing --setup-dns to ipa-server-install. This patch modifies install so that if --setup-dns is not passed, the user is asked if they want to configure integrated dns. http://fedorahosted.org/freeipa/ticket/2575
* Fixed Web UI build error caused by rhino changes in F19Petr Vobornik2013-03-211-1/+7
| | | | | | | | | rhino-1.7R4-2.fc19.noarch dropped -main flag which made the build fail in rawhide (F19). We can't use the same command for rhino-1.7R3-6 (F18) and rhino-1.7R4-2 (F19). This patch adds check if rhino supports '-require' option. If so it calls rhino with it if not it calls rhino with -main option. https://fedorahosted.org/freeipa/ticket/3501
* ipa-client discovery with anonymous access offMartin Kosek2013-03-201-5/+1
| | | | | | | | | | | | | When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519
* Realm Domains pageAna Krivokapic2013-03-189-7/+190
| | | | | | Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407
* Web UI:Choose different search option for cert-findPetr Vobornik2013-03-185-4/+140
| | | | | | | | | | This extends certificate search page by search option select. Therefore the search is not restricted to 'subject'. It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a future. https://fedorahosted.org/freeipa/ticket/3419
* Web UI:Certificate pagesPetr Vobornik2013-03-1813-31/+621
| | | | | | | | | | | | | | | | | Following pages were added to Web UI: * certificated details * certificate search Certificate is not regular object so it gets no metadata. Therefore artificial metadata were created for it to allow usage of search and details facet. Search and details facet were modified to allow removing of add/remove/update/ reset buttons - certificates have no mod operation and they are not added by standard means. User can revoke and restore certificated in details facet. https://fedorahosted.org/freeipa/ticket/3419
* Fix internal error for ipa show-mappingsAna Krivokapic2013-03-181-1/+1
| | | | | | The run() method of the show_mappings command was missing the **options parameter in its signature, causing the ipa show-mappings to fail with an internal error.
* Remove check for alphabetic only characters from domain name validationAna Krivokapic2013-03-151-3/+0
| | | | | | | The .isalpha() check in validate_domain_name() was too strict, causing some commands like ipa dnsrecord-add to fail. https://fedorahosted.org/freeipa/ticket/3385
* Improve some error handling in ipa-replica-manageRob Crittenden2013-03-141-3/+6
| | | | | | | | | | | | If you break a replica install after the agreement is created but before it gets much further you'll be in the situation where an agreement exists, no cn=masters entry exists, and the RUV may not be set yet. This adds some error handling so the broken install can be safely removed. https://fedorahosted.org/freeipa/ticket/3444
* Improve error messages for external group membersAna Krivokapic2013-03-144-4/+190
| | | | | | | | | | | | | | | | | When adding a duplicate member to a group, an error message is issued, informing the user that the entry is already a member of the group. Similarly, when trying to delete an entry which is not a member, an error message is issued, informing the user that the entry is not a member of the group. These error messages were missing in case of external members. This patch also adds support for using the AD\name or name@ad.domain.com format in ipa group-remove-member command. This format was supported in group-add-member, but not in group-remove-member. Unit test file covering these cases was also added. https://fedorahosted.org/freeipa/ticket/3254
* Do not force named connections on upgradesMartin Kosek2013-03-141-1/+1
| | | | | | We used to set connections argument for bind-dyndb-ldap even when the attribute was not in named.conf. This is not necessary as the bind-dyndb-ldap plugin chooses a sane default instead of us.
* Use tkey-gssapi-keytab in named.confMartin Kosek2013-03-142-3/+69
| | | | | | | | | | | Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429
* Update named.conf parserMartin Kosek2013-03-141-21/+48
| | | | | | | | Refactor the named.conf parsing and editing functions in bindinstance so that both "dynamic-db" and "options" sections of named.conf can be read and updated https://fedorahosted.org/freeipa/ticket/3429
* Enforce exact SID match when adding or modifying a ID rangeTomas Babej2013-03-142-14/+38
| | | | | | | | SID validation in idrange.py now enforces exact match on SIDs, thus one can no longer use SID of an object in a trusted domain as a trusted domain SID. https://fedorahosted.org/freeipa/ticket/3432
* Avoid multiple client discovery with fixed server listMartin Kosek2013-03-141-0/+11
| | | | | | | | | | | | In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
* Preserve order of servers in ipa-client-installMartin Kosek2013-03-141-9/+12
| | | | | | | | | | | | When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418
* Do not hide idrange-add errors when adding trustMartin Kosek2013-03-131-9/+6
| | | | | | | | | | | We catched all errors that could be raised by idrange-add command and just raised an uncomprehensible ValidationError. This could hide a real underlying problem and make the debugging harder. We should rather just let the command raise the real error (which will be already a PublicError). https://fedorahosted.org/freeipa/ticket/3288
* Use new 389-ds-base cleartext password APIMartin Kosek2013-03-131-8/+12
| | | | | | | | | | The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
* Remove implicit Str to DN conversion using *-attrTomas Babej2013-03-132-72/+154
| | | | | | | | | | | DNs represented as strings and passed via --setattr or --addattr are no longer implicitly converted to DN type. This solves various errors associated with this behaviour, see tickets below. Unit tests added. https://fedorahosted.org/freeipa/ticket/3348 https://fedorahosted.org/freeipa/ticket/3349
* Make sure uninstall script prompts for reboot as lastTomas Babej2013-03-131-19/+35
| | | | | | | | | | | Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-138-9/+453
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Don't download the schema in ipadiscoveryPetr Viktorin2013-03-131-1/+3
|
* Remove unneeded python-ldap importsPetr Viktorin2013-03-134-31/+28
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-136-140/+119
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Use IPAdmin rather than raw python-ldap in ipa-client-installPetr Viktorin2013-03-132-38/+35
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-1315-60/+22
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Move ipaldap to ipapythonPetr Viktorin2013-03-133-1800/+1819
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Add support for re-enrolling hosts using keytabTomas Babej2013-03-124-10/+50
| | | | | | | | | | | | | | | | | | A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-1113-28/+144
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Perform secondary rid range overlap check for local ranges onlyTomas Babej2013-03-111-16/+25
| | | | | | | | | | | Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391
* Fix installing server with external CAPetr Viktorin2013-03-083-65/+74
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Disable schema retrieval and attribute decoding when talking to AD GC.Jan Cholasta2013-03-081-5/+2
|
* Allow disabling attribute decoding in LDAPClient and IPAdmin.Jan Cholasta2013-03-081-3/+13
|
* Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.Jan Cholasta2013-03-081-3/+8
|
* Do not fail if schema cannot be retrieved from LDAP server.Jan Cholasta2013-03-081-9/+15
|
* Allow 'nfs:NONE' in global configurationSumit Bose2013-03-083-4/+4
| | | | | | | | | | | | This patch adds 'nfs:NONE' as an allowed entry for the global authorization data type in the CLI and WebUI. This is an ad-hoc solution to make sure that the new default value for the NFS service is not removed by chance. This patch should be removed if a more generic solution is implemented to modify service:TYPE style values of the authorization data type. https://fedorahosted.org/freeipa/ticket/2960
* Mention PAC issue with NFS in service plugin docSumit Bose2013-03-081-1/+7
| | | | https://fedorahosted.org/freeipa/ticket/2960
* Add unit test for get_authz_data_types()Sumit Bose2013-03-082-0/+246
| | | | https://fedorahosted.org/freeipa/ticket/2960
generated by cgit (git 2.34.1) at 2024-06-28 10:14:35 +0000