summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Flush stream after writing service messagesPetr Viktorin2013-06-111-0/+1
| | | | | | sys.stdout is buffered by default if redirected to a file. This may causes automated installation to appear hung. Flush the stream so that messages are written immediately.
* PEP8 fixes in idrange.pyTomas Babej2013-06-101-8/+17
|
* Extend idrange commands to support new range origin typesTomas Babej2013-06-102-18/+57
| | | | | | | | | | | | | | Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647
* Add update plugin to fill in ipaRangeType attributeTomas Babej2013-06-102-0/+117
| | | | | | | | | | | | | | Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647
* Add ipaRangeType attribute to LDAP SchemaTomas Babej2013-06-103-1/+5
| | | | | | | | | | This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647
* Fix type of printf argumentSumit Bose2013-06-101-1/+2
|
* Prevent error when running IPA commands with su/sudoAna Krivokapic2013-06-071-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/3685
* Manage ipa-otpd.socket by IPATomas Babej2013-06-066-22/+68
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Do not check userPassword with 7-bit pluginTomas Babej2013-06-062-0/+7
| | | | | | | | Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640
* Remove redundant u'' characterMartin Kosek2013-06-062-2/+2
| | | | | | One Python's unicode marking character was being printed by RPC plugin which then appeared in ipa-client-install output. This patch removes it.
* Fix regression: missing facet tab group labelsPetr Vobornik2013-06-052-10/+15
| | | | | | | | Currently there is only empty space between facet tabs and facet title. It's a regression caused by recent refactoring. https://fedorahosted.org/freeipa/ticket/3688
* Incorporate interactive prompts in idrange-addTomas Babej2013-06-051-3/+38
| | | | | | | | | | | In idrange-add command, ensure that RID base is prompted for in the interactive mode if domain SID or domain name was specified. If domain name nor SID was specified, make sure rid base is prompted for if secondary rid base was specified and vice versa. https://fedorahosted.org/freeipa/ticket/3602
* Add prompt_param method to avoid code duplicationTomas Babej2013-06-053-42/+55
| | | | | | | | | | Extracted common code from ipalib/plugins/cli.py and ipalib/plugins/dns.py that provided way to prompt user for the value of specific attribute. Added prompt_param method to Command class in ipalib/frontend.py Done as part of https://fedorahosted.org/freeipa/ticket/3602
* Remove redundant check for env.interactiveTomas Babej2013-06-051-1/+0
| | | | | Fixed as part of https://fedorahosted.org/freeipa/ticket/3602
* Use private ccache in ipa install toolsTomas Babej2013-06-055-16/+44
| | | | | | | | All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666
* Make ssbrowser.html work in IE 10Petr Vobornik2013-06-041-3/+9
| | | | | | | | Manual configuration page for other browsers (ssbrowser.html) doesn't work in IE 10 - error page is displayed. This patch is conditioning creation of Firefox configuration object so that configure.jar is requested only in Firefox. IE doesn't request it and so it does not fail. https://fedorahosted.org/freeipa/ticket/3645
* Fix format string typoSumit Bose2013-06-031-1/+1
|
* Fix log format not a string literal.Diane Trout2013-06-031-1/+1
| | | | | | | | This was to resolve a -Werror=format-security error. ipa_extdom_extop.c: In function 'ipa_extdom_extop': ipa_extdom_extop.c:144:9: error: format not a string literal and no format arguments [-Werror=format-security]
* Regression fix: missing control buttons in nested search facetsPetr Vobornik2013-06-031-16/+24
| | | | | | Regression introduced by 6e90920233cc9a7c9feb040dea22cda837715c39 - 'Move spec modifications from facet factories to pre_ops'. https://fedorahosted.org/freeipa/ticket/3605
* Deprecate options --dom-sid and --dom-name in idrange-modAna Krivokapic2013-05-313-10/+13
| | | | https://fedorahosted.org/freeipa/ticket/3636
* Do not allow removal of ID range of an active trustTomas Babej2013-05-312-11/+152
| | | | | | | | | | When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615
* Ignore files generated by buildAna Krivokapic2013-05-311-0/+5
|
* Remove code to install Dogtag 9Petr Viktorin2013-05-318-218/+22
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Fix cldap parser to work with a single equality filter (NtVer=...)Alexander Bokovoy2013-05-301-12/+14
| | | | https://fedorahosted.org/freeipa/ticket/3639
* Support multiple local domain ranges with RID base setTomas Babej2013-05-301-16/+34
| | | | | | | | | | | | | | | In ip-adtrust-install, "adding RID bases" step would fail if there was more than one local range defined. This can be a common case if e.g. there are users that migrated from previous IdM solution. With this patch, we fail only if there are multiple local ranges that do not have RID bases set. Keep in mind that overlap checking is ensured by ipa-range-check DS plugin. https://fedorahosted.org/freeipa/ticket/3498
* Do not translate trust type and direction with --raw in trust_show and ↵Tomas Babej2013-05-291-6/+28
| | | | | | | | | | | trust-find In trust_show command, make sure that --raw flag is honoured. Attributes ipanttrusttype and ipanttrustdirection are no longer translated to strings from their raw ldap values when --raw is used. https://fedorahosted.org/freeipa/ticket/3525
* CLDAP: Return empty reply on non-fatal errorsSimo Sorce2013-05-281-6/+18
| | | | | | | | | | | | | | | Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* CLDAP: Fix domain handling in netlogon requestsSimo Sorce2013-05-281-28/+39
| | | | | | | | | | | | | 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* Avoid exporting KRB5_KTNAME in dirsrv envMartin Kosek2013-05-242-2/+0
| | | | | The variable is already defined, exporting in dirsrv systemd environment is not needed and produces a (benign) error.
* Handle DIR type CCACHEs in test_cmdline properlyMartin Kosek2013-05-222-2/+2
| | | | | | Pass a whole krbV.CCache object to ldap2 connect() method so that it can properly detect both type and name of a CCAHE. Otherwise the test fails on systems with default DIR type CCACHE.
* Relax getkeytab test to allow additional messages on stderrPetr Viktorin2013-05-221-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3633
* ipa-client-install: Add 'debug' and 'show' statements to nsupdate commandsPetr Spacek2013-05-221-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3629
* Web UI: move ./_base/metadata_provider.js to ./metadata.jsPetr Vobornik2013-05-1712-15/+18
| | | | | | Metadata provider is IPA specific object, not a framework object, so it should not be in _base directory. https://fedorahosted.org/freeipa/ticket/3604
* Unite and move facet pre_ops to related modulesPetr Vobornik2013-05-174-123/+90
| | | | | | | | | | Facet pre_ops defined in ./facet module were moved to modules where facet are actually defined. Moved pre_ops were united with the ones defined for the facets in these modules. The move simplifies module dependencies - there is no reason to have general facet module dependent on specialized facet modules. Pre_ops uniting makes the code simpler. https://fedorahosted.org/freeipa/ticket/3605
* Move spec modifications from facet factories to pre_opsPetr Vobornik2013-05-176-85/+99
| | | | | | | | Spec modifications in factories makes inheritance and extensibility more difficult. Moving them to pre_ops allows modification of their output by other pre_ops. https://fedorahosted.org/freeipa/ticket/3605
* Do not display success message on failure in web UIAna Krivokapic2013-05-175-22/+53
| | | | https://fedorahosted.org/freeipa/ticket/3591
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-1710-58/+1368
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* Add the krb5/FreeIPA RADIUS companion daemonNathaniel McCallum2013-05-1715-64/+1723
| | | | | | | | | | | This daemon listens for RADIUS packets on a well known UNIX domain socket. When a packet is received, it queries LDAP to see if the user is configured for RADIUS authentication. If so, then the packet is forwarded to the 3rd party RADIUS server. Otherwise, a bind is attempted against the LDAP server. https://fedorahosted.org/freeipa/ticket/3366 http://freeipa.org/page/V3/OTP
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-173-1/+78
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-1710-10/+97
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Add ipaUserAuthType and ipaUserAuthTypeClassNathaniel McCallum2013-05-172-0/+6
| | | | | | | | | | This schema addition will be useful for future commits. It allows us to define permitted external authentication methods on both the user and global config. The implementation is generic, but the immediate usage is for otp support. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Prompt for nameserver IP address in dnszone-addAna Krivokapic2013-05-165-0/+161
| | | | | | | | | | | | | | Prompt for nameserver IP address in interactive mode of dnszone-add. Add a corresponding field to dnszone creation dialog in the web UI. This parameter is required if and only if: * New zone is a forward zone * Nameserver is defined inside the new zone Add a new unit test to cover this functionality. https://fedorahosted.org/freeipa/ticket/3603
* Remove redundancy from hbactest help textTomas Babej2013-05-151-2/+2
| | | | | | | I modified the SID in the second example so that result corresponds with the 5. example. https://fedorahosted.org/freeipa/ticket/3625
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-142-0/+19
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Remove leading zero from IPA_NUM_VERSIONPetr Viktorin2013-05-142-1/+18
| | | | | | | The numeric IPA_NUM_VERSION contained a leading zero, so it was treated as octal value in Python code instead of decimal. https://fedorahosted.org/freeipa/ticket/3622
* Fix: HBAC Test tab is missingPetr Vobornik2013-05-141-1/+1
| | | | | | | | Caused by typo in metadata provider source path. No metadata -> no HBAC test entity -> no tab https://fedorahosted.org/freeipa/ticket/3627
* Bump version for development branch to 3.2.99Rob Crittenden2013-05-101-1/+1
|
* Become 3.2.0Rob Crittenden2013-05-101-1/+1
|
* Fix SASL_NOCANON behavior for LDAPIMartin Kosek2013-05-101-1/+5
| | | | | Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222).
generated by cgit (git 2.34.1) at 2024-06-08 11:45:15 +0000