| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
| |
|
|
|
|
|
|
| |
The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.
https://fedorahosted.org/freeipa/ticket/3782
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3749
|
| |
|
|
|
|
|
|
|
|
| |
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
|
| |
|
|
|
|
| |
Also add an option to ipautil.run to redirect command output to /dev/null.
https://fedorahosted.org/freeipa/ticket/3767
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
|
| |
|
|
|
|
| |
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
| |
Host and DNS adder dialogs used span element as container for block elements. It's not valid nor consistent with other forms.
'span' was replaced by 'div'
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
| |
1. add class to active facet instead of using direct style modification for hiding/showing
2. add name attribute to tables and dialog buttons and error dialog
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3434
|
| | |
|
| |
|
|
| |
The main case for this is having ticket numbers in the Beaker ouput.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Logs from Beaker jobs are normally very brief, with the standard
output/error containing detailed information. Make ipa-run-tests
with BeakerLib plugin follow this convention.
Only include INFO and higher level messages in the Beaker logs.
Downgrade several message levels to DEBUG.
Log to console using Python logging instead of showing the Beaker logs.
Since ipa-run-tests sets up its own logging, Nose's own log
handling just causes duplicate messages. Disable it with --nologcapture.
|
| |
|
|
|
|
|
| |
Phase names are now in the format:
test-module-TestClass-test_method: First line of docstring
https://fedorahosted.org/freeipa/ticket/3723
|
| |
|
|
|
|
|
|
|
|
| |
- Use the external hostname when connecting to remote hosts
- Make it possible to specify working directory for remote commands
- Move kinit calls to installation code
This allows tests where installation is done later
- Log at error level when a remote command fails unexpectedly
- Clean up test directory before testing
- Break infinite recursion in mkdir_recursive if dir can't be created
|
| |
|
|
|
|
|
|
| |
Set up the hostname, /etc/resolv.conf, and /etc/hosts on remote
hosts in the test setup.
Undo the changes in test teardown.
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
| |
Output from IPA's log manager is not captured by Nose's logcapture plugin.
Forward IPA logs to a regular Python logger so that they are shown
on failures.
IPA log messages are also shown on standard error.
Filter out Paramiko logs by default; these are too verbose.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
| |
After each test, and after class setups and teardowns, the BeakerLib
integration plugin now downloads log files from the remote masters
and submits them using rlFileSubmit.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce a class inspired by subprocess.Popen that handles
running a command on a remote machine and handling its output.
To separate stdout & stderr streams of a remote command,
they need to be read in parallel, so that one of them doesn't
stall the runner when its buffer fills up. Accomplish this
by using a thread for each stream.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
| |
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.
Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
| |
Tests in test classes decorated by @ipatests.order_plugin.ordered
are sorted by the source line number instead of alphabetically,
if the plugin is enabled.
The ipa-run-tests helper now loads and enables the plugin.
This should make writing integration tests easier.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3745
|
| |
|
|
|
|
|
| |
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).
https://fedorahosted.org/freeipa/ticket/3739
|
| |
|
|
|
|
|
|
|
|
| |
Using the --ignore-dependencies switch was causing the ipactl stop command
not to stop all instances of dirsrv and dogtag. Make sure the switch is used
only when necessary, i.e. to prevent ipa-otpd.socket from getting stuck during
the shutdown transaction.
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3765
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
|
| |
|
|
|
|
|
|
|
|
| |
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.
When --range-type option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3729
|
| |
|
|
|
|
|
| |
Make sure ipactl status check for correct DS instance. It should check for
'dirsrv@IPA-REALM' and not 'dirsrv.target'.
https://fedorahosted.org/freeipa/ticket/3730
|
| |
|
|
|
|
|
|
|
|
|
| |
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
|
| | |
|
| |
|
|
|
| |
With the replacement of the winbind calls in the extdom plugin none of
the plugins is using the winbind client libraries anymore.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
|
| |
|
|
|
|
| |
This fixes an outstanding permissions issue from the OTP work.
https://fedorahosted.org/freeipa/ticket/3693
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3743
|
| |
|
|
|
|
|
|
| |
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
|
|
| |
This prevents getting full member list from LDAP and putting it back later.
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3706
|
