summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Py3: replace tab with spaceMartin Basti2015-07-173-5/+5
| | | | | | python3 does not allow to mix spaces and tabs Reviewed-By: Christian Heimes <cheimes@redhat.com>
* trusts: Check for AD root domain among our trusted domainsTomas Babej2015-07-171-1/+20
| | | | | | | | | | | | | Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-173-3/+4
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-1710-11/+11
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* sysrestore: copy files instead of moving them to avoind SELinux issuesMartin Basti2015-07-171-2/+6
| | | | | | | | Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Create server-dns sub-package.Petr Spacek2015-07-171-15/+35
| | | | | | | | | | | | | | | This allows us to automatically pull in package bind-pkcs11 and thus create upgrade path for on CentOS 7.1 -> 7.2. IPA previously had no requires on BIND packages and these had to be installed manually before first ipa-dns-install run. We need to pull additional bind-pkcs11 package during RPM upgrade so ipa-dns-install cannot help with this. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* migration: Use api.env variables.David Kupka2015-07-171-28/+5
| | | | | | | | | | | Use api.env.basedn instead of anonymously accessing LDAP to get base DN. Use api.env.basedn instead of searching filesystem for ldapi socket. https://fedorahosted.org/freeipa/ticket/4953 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Validate adding privilege to a permissionMartin Basti2015-07-172-25/+33
| | | | | | | | | Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix selinuxusermap search for non-admin usersMartin Basti2015-07-161-1/+1
| | | | | | | | Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema. Related to https://fedorahosted.org/freeipa/ticket/5130 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix hbac rule search for non-admin usersPetr Vobornik2015-07-161-1/+1
| | | | | | | | | | | | | hbacrule has it default attributes (which are used in search) attribute 'memberhostgroup'. This attr is not in ACI nor in schema. If the search contains an attribute which can't be read then the search won't return anything. Therefore all searches with filter set fail. https://fedorahosted.org/freeipa/ticket/5130 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-ca-install: print more specific errors when CA is already installedMartin Babinsky2015-07-161-2/+10
| | | | | | | | | | | This patch implements a more thorough checking for already installed CAs during standalone CA installation using ipa-ca-install. The installer now differentiates between CA that is already installed locally and CA installed on one or more masters in topology and prints an appropriate error message. https://fedorahosted.org/freeipa/ticket/4492 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: fix user reset password dialogPetr Vobornik2015-07-162-3/+3
| | | | | | | | | | Could not open user password dialog. regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee https://fedorahosted.org/freeipa/ticket/5131 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix selinux denial during kdcproxy user creationChristian Heimes2015-07-161-1/+3
| | | | | | | | | The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* oddjob: avoid chown keytab to sssd if sssd user does not existAlexander Bokovoy2015-07-161-2/+7
| | | | | | | | | | | | | | | | | | | | If sssd user does not exist, it means SSSD does not run as sssd user. Currently SSSD has too tight check for keytab permissions and ownership. It assumes the keytab has to be owned by the same user it runs under and has to have 0600 permissions. ipa-getkeytab creates the file with right permissions and 'root:root' ownership. Jakub Hrozek promised to enhance SSSD keytab permissions check so that both sssd:sssd and root:root ownership is possible and then when SSSD switches to 'sssd' user, the former becomes the default. Since right now SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd' user in Fedora 22 / RHEL 7 environments, we can use its presence as a version trigger. https://fedorahosted.org/freeipa/ticket/5136 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* selinux: enable httpd_run_ipa to allow communicating with oddjobd servicesAlexander Bokovoy2015-07-162-1/+2
| | | | | | | | | | | | | A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* do not import memcache on clientPetr Vobornik2015-07-161-2/+4
| | | | | | | | | | | | Fixes regression caused by cd3ca94ff2ef738cb3a9eae502193413058f976d. Which caused: * client installation failure (missing memcache) * invalid warning in CLI on server https://fedorahosted.org/freeipa/ticket/5133 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* spec file: Update minimum required version of krb5Jan Cholasta2015-07-151-2/+4
| | | | | | | | Automatically require the krb5 version used at build time. https://fedorahosted.org/freeipa/ticket/5132 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* spec file: Move /etc/ipa/kdcproxy to the server subpackageJan Cholasta2015-07-151-1/+1
| | | | | | | | The directory was in the python subpackage, but that broke client-only build. We don't want the directory to be installed on clients anyway, since it is part of a server-side feature. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* copy-schema-to-ca: allow to overwrite schema filesMartin Basti2015-07-151-3/+26
| | | | | | | | | If content of source and target file differs, the script will ask user for permission to overwrite target file. https://fedorahosted.org/freeipa/ticket/5034 Reviewed-By: David Kupka <dkupka@redhat.com>
* Stageusedr-activate: show username instead of DNMartin Basti2015-07-151-2/+3
| | | | | | | | | | | If activate user already exists, show name of this user in error message instead of user DN. Error message reworder to keep the same format as stageuser-add, user-add. https://fedorahosted.org/freeipa/ticket/5038 Reviewed-By: David Kupka <dkupka@redhat.com>
* Replace file() with open()Christian Heimes2015-07-141-6/+4
| | | | | | | | | The open() function is the recommended way to open a file. In Python 3 the file type is gone, but open() still works the same. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove tuple unpacking from except clause ipaserver/dcerpc.pyChristian Heimes2015-07-141-6/+12
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove tuple unpacking from except clause ipalib/plugins/hbactest.pyChristian Heimes2015-07-141-3/+4
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.pyChristian Heimes2015-07-141-2/+2
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove tuple unpacking from except clause contrib/RHEL4/ipachangeconf.pyChristian Heimes2015-07-141-2/+2
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* spec file: update the python package names for libipa_hbac and libsss_nss_idmapMilan Kubík2015-07-141-3/+3
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix DNS records installation for replicasSimo Sorce2015-07-141-3/+3
| | | | | | | Ticket: https:/fedorahosted.org/freeipa/ticket/5116 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Start dirsrv for kdcproxy upgradeChristian Heimes2015-07-141-16/+19
| | | | | | | | | | The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Revert "Hide topology and domainlevel features"Tomas Babej2015-07-106-20/+5
| | | | | | | | | This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipalib: pass api instance into textui in doctest snippetsMilan Kubík2015-07-101-12/+13
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Fix missing format for InvalidDomainLevelErrorTomas Babej2015-07-101-0/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Prevent to rename certprofile profile idMartin Basti2015-07-101-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5074 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Bump 4.3 development version to 4.2.90Petr Vobornik2015-07-091-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Become IPA 4.2.0Petr Vobornik2015-07-091-1/+1
|
* fix error message when certificate CN is invalidPetr Vobornik2015-07-091-3/+1
| | | | | | The error message was probably copied from mail address check below. Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: remove cert manipulation actions from host and servicePetr Vobornik2015-07-092-16/+4
| | | | | | | | | | | | | Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: show multiple certPetr Vobornik2015-07-097-6/+116
| | | | | | | | | | | New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: cert-request improvementsPetr Vobornik2015-07-096-34/+168
| | | | | | | | | | | | | | | Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 Reviewed-By: Martin Basti <mbasti@redhat.com>
* move session_logout command to ipalib/plugins directoryPetr Vobornik2015-07-084-31/+37
| | | | | | | | API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Reviewed-By: Martin Basti <mbasti@redhat.com>
* upgrade: Enable and start oddjobd if adtrust is availableTomas Babej2015-07-082-0/+25
| | | | | | | If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-082-0/+30
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert-request: enforce caacl for principals in SANFraser Tweedale2015-07-081-17/+25
| | | | | | | | | cert-request currently does not enforce caacls for principals included in the subjectAltName requestExtension. Enforce for any dNSName values recognised as hosts/services known to FreeIPA. Fixes: https://fedorahosted.org/freeipa/ticket/5096 Reviewed-By: David Kupka <dkupka@redhat.com>
* caacl: fix incorrect construction of HbacRequest for hostsFraser Tweedale2015-07-081-3/+4
| | | | | | | | The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: hide facet tab in certificate details facetPetr Vobornik2015-07-081-0/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: caaclPetr Vobornik2015-07-087-1/+414
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: certificate profilesPetr Vobornik2015-07-085-1/+117
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix logging in APIMartin Basti2015-07-081-2/+2
| | | | | | Setup log in API before first usage Reviewed-By: Tomas Babej <tbabej@redhat.com>
* spec file: Update minimal versions of required packagesJan Cholasta2015-07-081-8/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5103 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-082-1/+6
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Fix skip_version_check optionJan Cholasta2015-07-083-9/+9
| | | | | | | | | | | This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-25 11:51:23 +0000