summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* specfile: Add BuildRequires for pki-base 10.2.1-0Tomas Babej2014-11-071-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4688 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update slapi-nis dependency to pull 0.54.1Alexander Bokovoy2014-11-071-1/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Ensure that a password exists after OTP validationNathaniel McCallum2014-11-061-12/+14
| | | | | | | | | | | | | | Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix upgrade: do not use invalid ldap connectionMartin Basti2014-11-062-0/+9
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4670 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Stop dirsrv last in ipactl stop.David Kupka2014-11-061-6/+6
| | | | | | | | Other services may depend on directory server. https://fedorahosted.org/freeipa/ticket/4632 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Deadlock in schema compat plugin (between automember_update_membership task ↵Thierry bordaz (tbordaz)2014-11-061-10/+20
| | | | | | | | | | | | | | | and dse update) Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks. Schema plugin needs to scope the $SUFFIX and also any updates to its configuration. This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees that would be too long for cn=config (tasks, mapping tree, replication, snmp..) https://fedorahosted.org/freeipa/ticket/4635 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix various bugs in ipap11helperJan Cholasta2014-11-051-15/+10
| | | | | | | | | | | Fixes a memory leak, a library handle leak and a double free. Also remove some redundant NULL checks before free to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leaks in ipa-joinJan Cholasta2014-11-052-11/+9
| | | | | | | | | Also remove dead code in ipa-join and add initializer to a variable in ipa-getkeytab to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leak in ipa-pwd-extopJan Cholasta2014-11-052-3/+2
| | | | | | | | | Also remove dead code and explicitly mark an ignored return value to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix various bugs in ipa-opt-counter and ipa-otp-lasttokenJan Cholasta2014-11-053-5/+17
| | | | | | | | Fixes a wrong sizeof argument and unchecked return values. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leaks in ipa-extdom-extopJan Cholasta2014-11-051-5/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix possible NULL dereference in ipa-kdbJan Cholasta2014-11-051-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manageJan Cholasta2014-11-052-24/+19
| | | | | | | | | This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-055-44/+73
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fixed KRA backend.Endi S. Dewata2014-11-047-121/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix CI tests: install_adtrustMartin Basti2014-11-041-1/+9
| | | | | | | IPA uses both named and named-pkcs11 service. If named is masked use named-pkcs11, instead of raising exception Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-0410-80/+57
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add bind-dyndb-ldap working dir to IPA specfileMartin Basti2014-10-311-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4657#comment:6 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdateJan Cholasta2014-10-302-40/+53
| | | | | | | | | If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
* Handle profile changes in dogtag-ipa-ca-renew-agentJan Cholasta2014-10-291-7/+80
| | | | | | | | | | | | | | | | | | | To update the CA certificate in the Dogtag NSS database, the "ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one. When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request. Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed. https://fedorahosted.org/freeipa/ticket/4627 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix zone name to directory name conversion in BINDMgr.Petr Spacek2014-10-291-1/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix dns zonemgr validation regressionMartin Basti2014-10-271-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4663 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overridesAlexander Bokovoy2014-10-242-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Do not check if port 8443 is available in step 2 of external CA installJan Cholasta2014-10-222-5/+7
| | | | | | | | | The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 Reviewed-By: David Kupka <dkupka@redhat.com>
* build: increase java stack size for all archesPetr Vobornik2014-10-221-2/+1
| | | | | | | Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl Reviewed-By: Martin Kosek <mkosek@redhat.com>
* fix forwarder validation errorsMartin Basti2014-10-213-8/+18
| | | | | | Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Default to use TLSv1.0 and TLSv1.1 on the IPA server sideAlexander Bokovoy2014-10-211-0/+4
| | | | | | | | We only will be changing the setting on the install. For modifying existing configurations please follow instructions at https://access.redhat.com/solutions/1232413 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* fix DNSSEC restore named stateMartin Basti2014-10-211-2/+2
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* updater: enable uid uniqueness plugin for posixAccountsAlexander Bokovoy2014-10-212-0/+116
| | | | | | https://fedorahosted.org/freeipa/ticket/4636 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: remove container_dnssec_keysJan Cholasta2014-10-213-3/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: change link to ipa pageMartin Basti2014-10-211-3/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: add files to backupMartin Basti2014-10-211-0/+11
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: add ipa dnssec daemonsPetr Spacek2014-10-2119-1/+2293
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: ACIMartin Basti2014-10-212-0/+59
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: upgradingMartin Basti2014-10-211-0/+67
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: uninstallationMartin Basti2014-10-212-0/+37
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: installationMartin Basti2014-10-213-9/+69
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: modify named service to support dnssecMartin Basti2014-10-211-11/+51
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-218-6/+158
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: platform paths and servicesMartin Basti2014-10-216-2/+85
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: opendnssec servicesMartin Basti2014-10-216-0/+716
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-218-2/+525
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: add ipapk11helper moduleMartin Basti2014-10-218-1/+2306
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: schemaMartin Basti2014-10-215-4/+62
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: dependenciesMartin Basti2014-10-211-2/+13
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Add mask, unmask methods for serviceMartin Basti2014-10-212-0/+59
| | | | | | | This patch allows mask and unmask services in IPA Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* spec: Bump SSSD requires to 1.12.2Tomas Babej2014-10-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: update combobox input on list clickPetr Vobornik2014-10-211-3/+7
| | | | | | | | Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated. https://fedorahosted.org/freeipa/ticket/4655 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: do not show closed dialogPetr Vobornik2014-10-211-0/+18
| | | | | | | | | | | | | | Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed. New dialog's property `opened` handles whether dialog is intended to be opened. How to test: Add new host with IP address outside of managed reverse zones to get error 4304. https://fedorahosted.org/freeipa/ticket/4656 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* extdom: remove unused dependency to libsss_idmapSumit Bose2014-10-212-5/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-10-02 13:24:37 +0000