summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* disallow mod of topology segment nodesPetr Vobornik2015-06-113-6/+5
| | | | | | | | | | | | | | | | | Mod of segment end will be disallowed in topology plugin. Reasoning (by Ludwig): if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios, like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Revert 389-DS BuildRequires version to 1.3.3.9Martin Basti2015-06-111-1/+1
| | | | Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.Petr Spacek2015-06-112-3/+3
| | | | | | | SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use 389-ds centralized scripts.David Kupka2015-06-113-4/+16
| | | | | | | | | Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: validate forward zone forwardersMartin Basti2015-06-114-3/+202
| | | | | | | | | | Show warning messages if DNSSEC validation is failing for particular FW zone or if the specified forwarders do not work https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: Improve global forwarders validationMartin Basti2015-06-115-65/+188
| | | | | | | | | | Validation now provides more detailed information and less false positives failures. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* rename topologysegment_refresh to topologysegment_reinitializePetr Vobornik2015-06-113-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5056 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Enforce CA ACLs in cert-request commandFraser Tweedale2015-06-112-0/+93
| | | | | | | | | | | | | | | This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-1116-2/+771
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: make topology suffices UI readonlyPetr Vobornik2015-06-111-8/+7
| | | | | | | | | Admins should not modify topology suffices. They are created on install/upgrade. part of: https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* add entries required by topology plugin on updatePetr Vobornik2015-06-111-0/+16
| | | | | | | | | These entries were not added on upgrade from old IPA servers and on replica creation. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* move replications managers group to cn=sysaccounts,cn=etc,$SUFFIXPetr Vobornik2015-06-113-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-1011-96/+102
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Initialize API early in server and replica installJan Cholasta2015-06-102-177/+191
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-1010-25/+45
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* check for existing and self referential segmentsLudwig Krispenz2015-06-101-10/+20
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* topology: hide topologysuffix-add del mod commandsPetr Vobornik2015-06-101-0/+6
| | | | | | | | | Suffices are created on installation/upgrade. Users should not modify them. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* topology: allow only one node to be specified in topologysegment-refreshPetr Vobornik2015-06-101-6/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fixed KRA installation problem.Endi S. Dewata2015-06-101-7/+8
| | | | | | | | | | The ipa-pki-proxy.conf has been modified to optionally require client certificate authentication for PKI REST services as it's done in standalone PKI to allow the proper KRA installation. https://fedorahosted.org/freeipa/ticket/5058 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: Migrate ipa-replica-install to the install frameworkJan Cholasta2015-06-103-201/+275
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Allow setting usage in CLI toolsJan Cholasta2015-06-101-4/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Add support for positional arguments in CLI toolsJan Cholasta2015-06-101-34/+106
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Handle Knob cli_name and cli_aliases values consistentlyJan Cholasta2015-06-102-23/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix s4u2proxy README and add warningSimo Sorce2015-06-081-2/+14
| | | | | | | | The attribute mentioned was using an older name that was later changed in the implementation. Also add a prominent warning about the use of the kadmin flags. Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* install: Migrate ipa-server-install to the install frameworkJan Cholasta2015-06-084-499/+660
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Introduce installer framework ipapython.installJan Cholasta2015-06-088-1/+1084
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move private_ccache from ipaserver to ipapythonJan Cholasta2015-06-085-29/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Fix external CA server installJan Cholasta2015-06-082-20/+19
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Fix CA-less server installJan Cholasta2015-06-081-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* Added vault-archive and vault-retrieve commands.Endi S. Dewata2015-06-085-4/+634
| | | | | | | | | | New commands have been added to archive and retrieve data into and from a vault, also to retrieve the transport certificate. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: Fix missing variable initialization in replica installJan Cholasta2015-06-081-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/4468
* Move CA installation code into single module.David Kupka2015-06-085-345/+330
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Migration now accepts scope as argumentDrew Erny2015-06-053-4/+22
| | | | | | | | | | | Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree] which allows the user to specify LDAP search depth for users and groups. 'onelevel' was the hard-coded level before this patch and is still default. Specify 'subtree' to search nested OUs for users and groups. https://fedorahosted.org/freeipa/ticket/2547 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify host name output in ipa-client-installPetr Spacek2015-06-051-1/+1
| | | | | | Proposed by Tomas Capek Reviewed-By: Martin Basti <mbasti@redhat.com>
* Grammar fix in 'Estimated time' messages printed by installerPetr Spacek2015-06-051-1/+1
| | | | | | Proposed by Tomas Capek. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify messages related to adding DNS forwardersPetr Spacek2015-06-051-6/+5
| | | | | | Proposed by Tomas Capek. Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: better error reportingPetr Vobornik2015-06-054-1/+11
| | | | | | | - ActionDropdownWidget - report error if required action is missing - report build errors to console Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: don't log in back after logoutPetr Vobornik2015-06-052-1/+18
| | | | | | | | | | | | | | Automatic login attempt is initiated by first failed xhr request which happens in metadata phase. New phase was added before metadata phase. It interrupts UI load and shows login page if it's directly after logout(marked in session storage). Successfull manual login resolves the phase so that metadata phase can follow. https://fedorahosted.org/freeipa/ticket/5008 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-pki-proxy: allow certificate and password authenticationFraser Tweedale2015-06-051-3/+10
| | | | | | | | | | | ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import profiles earlier during installFraser Tweedale2015-06-053-6/+12
| | | | | | | | | | | | | | | | | Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix certificate subject baseFraser Tweedale2015-06-051-1/+1
| | | | | | | | | | Profile management patches introduced a regression where a custom certificate subject base (if configured) is not used in the default profile. Use the configured subject base. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Abstract the HostTracker class from host plugin testMilan Kubík2015-06-052-150/+292
| | | | | | | | | | | Implements a base class to help test LDAP based plugins. The class has been decoupled from the original host plugin test and moved to separate module ipatests.test_xmlrpc.ldaptracker. https://fedorahosted.org/freeipa/ticket/5032 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: configurable refresh commandPetr Vobornik2015-06-041-2/+11
| | | | | | Allows to change the default 'show' command to something different. E.g. 'get' Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: topology pluginPetr Vobornik2015-06-047-1/+440
| | | | | | https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: make usage of --all in details facet optionalPetr Vobornik2015-06-041-2/+13
| | | | | | | refactoring for domains level UI https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: use command_dialog as a base class for password dialogPetr Vobornik2015-06-042-197/+6
| | | | | | | refactoring for: https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: IPA.command_dialog - a new dialog base classPetr Vobornik2015-06-043-3/+217
| | | | | | | | refactoring for: https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* topology: ipa management commandsPetr Vobornik2015-06-044-2/+543
| | | | | | | | | | | ipalib part of topology management Design: - http://www.freeipa.org/page/V4/Manage_replication_topology https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* crash when removing a replicaLudwig Krispenz2015-06-041-3/+11
| | | | | | | | | | | when a server is removed from the topology the plugin tries to remove the credentials from the replica and the bind dn group. It performs an internal search for the ldap principal, but can fail if it was already removed Due to an unitialized variable in this case it can eitehr crash or erroneously remove all principals. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* plugin uses 1 as minimum domain level to become active no calculation based ↵Ludwig Krispenz2015-06-044-28/+12
| | | | | | | on plugin version Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-25 04:23:09 +0000