| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
With the replacement of the winbind calls in the extdom plugin none of
the plugins is using the winbind client libraries anymore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
|
|
|
|
|
|
| |
This fixes an outstanding permissions issue from the OTP work.
https://fedorahosted.org/freeipa/ticket/3693
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3743
|
|
|
|
|
|
|
|
| |
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
|
|
| |
This prevents getting full member list from LDAP and putting it back later.
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3707
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3736
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3766
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3764
|
|
|
|
|
|
|
| |
Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install
to fail when IPA was installed with no DNS.
https://fedorahosted.org/freeipa/ticket/3746
|
|
|
|
|
|
| |
Assign a default priority of 10 to our SASL mappings.
https://fedorahosted.org/freeipa/ticket/3330
|
|
|
|
|
|
|
|
|
|
| |
Create:
* kerberosauth.xpi
* krb.js
even when --http_pkcs12 option is used.
https://fedorahosted.org/freeipa/ticket/3747
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3705
|
|
|
|
|
|
| |
Those resources are needed by page which has to use http(browser config) prior to acceptance of CA cert.
https://fedorahosted.org/freeipa/ticket/3748
|
|
|
|
|
|
|
| |
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.
https://fedorahosted.org/freeipa/ticket/3739
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3750
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3718
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.
Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.
Add tests to cover the new functionality
https://fedorahosted.org/freeipa/ticket/3634
|
|
|
|
|
|
|
|
| |
Logging tracebacks at the INFO level caused them to be displayed to user on the
command line. Change the log level to DEBUG, so that tracebacks are not visible
to user.
https://fedorahosted.org/freeipa/ticket/3704
|
|
|
|
|
|
|
|
| |
When adding a trust, if an id range already exists for this trust,
and options --base-id/--range-size are provided with the trust-add command,
trust-add should fail.
https://fedorahosted.org/freeipa/ticket/3635
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3713
|
|
|
|
|
|
|
|
|
|
|
| |
Improve handling of command line options related to forced client re-enrollment
in ipa-client-install:
* Make --keytab and --principal options mutually exclusive.
* Warn that using --force-join together with --keytab provides no additional
functionality.
https://fedorahosted.org/freeipa/ticket/3686
|
|
|
|
|
|
|
| |
To be consistent with the rest of the LDAP commands, return
ipaRangeType as a list of unicode strings.
Regression caused by https://fedorahosted.org/freeipa/ticket/3647
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hardcoded values for range parameters such as base RID or range
size could be the reason the tests produced incorrect results,
as the ranges could get in conflict with already existing ranges
on the server.
Patch dynamically chooses ID and RID range space at the end of
all ranges already present on the server.
https://fedorahosted.org/freeipa/ticket/3662
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The plugin hooks into the Nose runner and IPA's logging infrastructure
and calls the appropriate BeakerLib functions (rl*).
IPA's log_manager is extended to accept custom Handler classes.
The ipa-run-tests helper now loads the plugin.
Patr of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
|
|
|
|
|
|
|
| |
Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM
containing the test suite
Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
|
|
|
|
| |
This directory is no longer used as session storage.
|
|
|
|
|
|
|
|
|
| |
All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.
https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684
|
|
|
|
|
|
|
| |
Make sure that the success message is properly populated with actual number of
items that were successfully added/removed.
https://fedorahosted.org/freeipa/ticket/3708
|
|
|
|
|
|
|
|
|
|
| |
There is a JS error.
Rule tables with external member has more than one column and therefore exclude parameter for adder dialog is not array of strings but array of objects. normalize_values function can't work with it and causes JS error.
This patch creates proper exclude array before passing it to adder dialog.
https://fedorahosted.org/freeipa/ticket/3711
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3675
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3673
https://fedorahosted.org/freeipa/ticket/3674
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3667
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3665
|
|
|
|
|
|
| |
sys.stdout is buffered by default if redirected to a file.
This may causes automated installation to appear hung.
Flush the stream so that messages are written immediately.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
|
|
|
|
|
|
|
|
|
|
| |
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3685
|