summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Update cert-request to support user certs and profilesFraser Tweedale2015-06-043-89/+135
| | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add usercertificate attribute to user pluginFraser Tweedale2015-06-046-10/+27
| | | | | | Part of: https://fedorahosted.org/freeipa/tickets/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add profile_id parameter to 'request_certificate'Fraser Tweedale2015-06-046-6/+12
| | | | | | | | | | | | Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add generic split_any_principal methodFraser Tweedale2015-06-041-8/+19
| | | | | | | | | | | | | | | There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import included profiles during install or upgradeFraser Tweedale2015-06-0412-223/+228
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enable LDAP-based profiles in CA on upgradeFraser Tweedale2015-06-041-0/+40
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4560 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add certprofile pluginFraser Tweedale2015-06-049-13/+534
| | | | | | | | | | | | | Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ACL to allow CA agent to modify profilesFraser Tweedale2015-06-042-0/+40
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-pki-proxy: provide access to profiles REST APIFraser Tweedale2015-06-041-2/+10
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add schema for certificate profilesFraser Tweedale2015-06-044-0/+17
| | | | | | | | | The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Install CA with LDAP profiles backendFraser Tweedale2015-06-042-3/+4
| | | | | | | | | Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix certificate management with service-modFraser Tweedale2015-06-031-1/+1
| | | | | | | | | | Adding or removing certificates from a service via --addattr or --delattr is broken. Get certificates from entry_attrs instead of options. https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: regression in host and service pluginMartin Basti2015-06-032-7/+14
| | | | | | | | | | | Test failures: * wrong error message * mod operation always delete usercertificates https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Milan Kubik <mkubik@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* accept missing binddn groupLudwig Krispenz2015-06-031-2/+2
| | | | | | | replicas installed from older versions do not have a binddn group just accept the errror Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add plugin to manage service constraint delegationsRob Crittenden2015-06-038-2/+1320
| | | | | | | | | | Service Constraints are the delegation model used by ipa-kdb to grant service A to obtain a TGT for a user against service B. https://fedorahosted.org/freeipa/ticket/3644 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Support multiple host and service certificatesFraser Tweedale2015-06-024-91/+124
| | | | | | | | | | | | | | | | | | | | | | Update the framework to support multiple host and service certificates. host-mod and service-mod revoke existing certificates that are not included in the modified entry. Using addattr=certificate=... will result in no certificates being revoked. The existing behaviour of host-disable, host-del, service-disable and service-del (revoke existing certificate) is preserved but now applies to all certificates in the host or service entry. Also update host-show and service-show to write all the principal's certificates to the file given by the ``--out=FILE`` option. Part of: http://www.freeipa.org/page/V4/User_Certificates https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not print traceback when pipe is brokenGabe2015-06-021-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/2284 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Allow ipa help command to run when ipa-client-install is not configuredGabe2015-06-021-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3584 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ULC: fix: upgrade for stage Stage User Admins failedMartin Basti2015-06-021-0/+5
| | | | | | | | | | | Upgrade failed because entry 'dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX' doesnt exist. Now upgrade will create the privilege if it does not exist. https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* replica install fails with domain level 1Ludwig Krispenz2015-06-023-5/+3
| | | | | | | | | | | when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod. Only attributes explicitely set in the segment should be applied. At shutdown the server could crash because the plugin was called after it was stopped. https://fedorahosted.org/freeipa/ticket/5035 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Installers fix: remove temporal ccacheMartin Basti2015-06-021-6/+11
| | | | | | | | | Environ variable may be changed outside, so store path into global variable. https://fedorahosted.org/freeipa/ticket/5042 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add compatibility function for older libkrb5Simo Sorce2015-05-301-1/+60
| | | | | | | | | | | | | | Before krb5 1.13 the krb5_salttype_to_string() function was returning incorrect names (display names of some kind instead of the names used by the rest of the library to map saltname to the salt type integer number). This patch adds a function that checks at runtime if we have a working function and uses a fallback map updated to the salt types known up to 1.12, this allows us to use the library provided function in following releases where new salt types may emerge. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Milan Kubik <mkubik@redhat.com>
* install: Move ipa-server-upgrade code into a moduleJan Cholasta2015-05-293-66/+74
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move ipa-replica-install code into a moduleJan Cholasta2015-05-293-596/+652
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move ipa-server-install code into a moduleJan Cholasta2015-05-293-1042/+1239
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Make a package out of ipaserver.install.serverJan Cholasta2015-05-294-0/+7
| | | | | | | | | | Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged into a single code base, keep their respective bits in separate modules in the package. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Detect default encsalts kadmin password changeSimo Sorce2015-05-277-0/+231
| | | | | | | | | | | | | | | | | | | When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
* KRA: get the right dogtag version during server uninstallMartin Babinsky2015-05-261-1/+1
| | | | | | | | | Ensure that the correct version of dogtag is passed from API object to the KRA uninstaller during IPA server uninstall. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* server-find and server-show commandsPetr Vobornik2015-05-264-2/+119
| | | | | | | | | | | ipa server-find ipa server-show FQDN These commands display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add Domain Level featureTomas Babej2015-05-2617-14/+280
| | | | | | | https://fedorahosted.org/freeipa/ticket/5018 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Server Upgrade: fix remove statementMartin Basti2015-05-261-3/+4
| | | | | | | | | If value does not exists then do not update entry. Otherwise, together with nonexistent entry, the LDAP decode error will be raised. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix: use DS socket check only for upgradeMartin Basti2015-05-262-17/+33
| | | | | | | | | | | To detect if DS server is running, use the slapd socket for upgrade, and the LDAP port for installation. Without enabled LDAPi socket checking doesnt work. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* install part - manage topology in shared treeLudwig Krispenz2015-05-267-1/+47
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ds plugin - manage replication topology in the shared treeLudwig Krispenz2015-05-2614-0/+4079
| | | | | | | Implementation of ticket: https://fedorahosted.org/freeipa/ticket/4302 Design page: http://www.freeipa.org/page/V4/Manage_replication_topology Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* replica-manage: Properly delete nested entriesTomas Babej2015-05-262-3/+3
| | | | | | | | | | | Bad ordering of LDAP entries during replica removal resulted in a failure to delete replica and its services from cn=masters,cn=ipa,cn=etc,$SUFFIX. This patch enforces the correct ordering of entries resulting in proper removal of services before the host entry itself. https://fedorahosted.org/freeipa/ticket/5019 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix typo in ipa-server-upgrade man pageMartin Kosek2015-05-261-1/+1
|
* Server Upgrade: Move code from ipa-upgradeconfig to separate moduleMartin Basti2015-05-253-1420/+1383
| | | | | | | | | This also prevent the script ipa-upgradeconfig execute upgrading. Upgrade of services is called from ipa-server-upgrade https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* merge KRA installation machinery to a single moduleMartin Babinsky2015-05-254-100/+118
| | | | | | | | | This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaserver/dcerpc: Ensure LSA pipe has session key before using itAlexander Bokovoy2015-05-251-5/+14
| | | | | | | | | | | | | | | | | | With Samba 4.2 there is a bug that prevents Samba to consider Kerberos credentials used by IPA httpd process when talking to smbd. As result, LSA RPC connection is seen as anonymous by Samba client code and we cannot derive session key to use for encrypting trust secrets before transmitting them. Additionally, rewrite of the SMB protocol support in Samba caused previously working logic of choosing DCE RPC binding string to fail. We need to try a different set of priorities until they fail or succeed. Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Added vault plugin.Endi S. Dewata2015-05-259-2/+865
| | | | | | | | | A new plugin has been added to manage vaults. Test scripts have also been added to verify the functionality. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* git ignore ipaplatform/__init__.pyPetr Vobornik2015-05-221-0/+1
| | | | | | | | This file is generated in `make version-update` added in 9f049ca14403f3696d54d186e6b1b15181f055df Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: Fix: execute schema updateMartin Basti2015-05-221-1/+5
| | | | | | | | Accidentaly schema upgrade has not been executed. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Server Upgrade: wait until DS is readyMartin Basti2015-05-222-5/+17
| | | | | | | | | | | During server upgrade we should wait until DS is ready after restart, otherwise connection error is raised. Instead of 389 port, the DS socket is checked. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Uid uniqueness: fix: exclude compat tree from uniquenessMartin Basti2015-05-221-0/+2
| | | | | | Without this commit it is not possible to move user to staged area. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* client-install: Fix kinits with non-default Kerberos config fileJan Cholasta2015-05-212-4/+22
| | | | | | https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* do not check for directory manager password during KRA uninstallMartin Babinsky2015-05-201-17/+17
| | | | | | | | | | ipa-kra-install validates and asks for directory manager password during uninstallation phase. Since this password is never used during service uninstall, the uninstaller will not perform these checks anymore. https://fedorahosted.org/freeipa/ticket/5028 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: datetime widget with datepickerPetr Vobornik2015-05-203-5/+276
| | | | | | | | | | | | | | | | | Datetime widget was transform from a simple text input to 3 separate inputs: - date with bootstrap-datepicker - hour - minute e.g.: Validity end [ 2015-05-18 ] [23]:[01] UTC Vendor [ abc ] Editation of seconds is not supported. https://fedorahosted.org/freeipa/ticket/4347 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: add boostrap-datepicker filesPetr Vobornik2015-05-206-1/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/4347 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: option to not create user private groupPetr Vobornik2015-05-203-1/+9
| | | | | | | | | | | Web UI wa not able to create a user without a private group. New field added to user adder dialog to allow that. https://fedorahosted.org/freeipa/ticket/4986 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* webui: fix empty table border in FirefoxPetr Vobornik2015-05-201-1/+4
| | | | | | | | Firefox suffers from: https://bugzilla.mozilla.org/show_bug.cgi?id=409254 This is a workaround to fix it. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-30 13:00:04 +0000