summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Display the wrong attribute name when mandatory attribute is missingThierry Bordaz2015-07-021-1/+1
| | | | | | | When activating a stageuser, if 'sn' or 'cn' or 'uid' is missing it displays an error with 'cn' Reviewed-By: Tomas Babej <tbabej@redhat.com>
* allow deletion of segment if endpoint is not managedLudwig Krispenz2015-07-023-0/+17
| | | | | | | | | in the preop check do not reject the deletion of a segment, if not both endpoints are managed servers for the suffix thisis part of work for ticlet #5072 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* DNS: Do not traceback if DNS is not installedMartin Basti2015-07-011-2/+11
| | | | | | | | | Instead of internal error show 'DNS is not configured' message, when a dns* command is executed. https://fedorahosted.org/freeipa/ticket/5017 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Remove unused call method of PluginJan Cholasta2015-07-012-28/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugin base classes and modules using API propertiesJan Cholasta2015-07-014-18/+36
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Change is_production_mode to method of APIJan Cholasta2015-07-014-27/+70
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Remove SetProxy, DictProxy and MagicDictJan Cholasta2015-07-012-280/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipaplatform: Do not use MagicDict for KnownServicesJan Cholasta2015-07-011-2/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Lock API on finalization rather than on initializationJan Cholasta2015-07-011-10/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Do not use DictProxy for APIJan Cholasta2015-07-011-9/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-0138-278/+209
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Load plugins only from modules imported by APIJan Cholasta2015-07-0110-30/+45
| | | | | | | | Previously all plugin modules imported from anywhere were added to the API. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugins to import in API by module namesJan Cholasta2015-07-013-46/+46
| | | | | | | | | This change removes the automatic plugins sub-package magic and allows specifying modules in addition to packages. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Move find_modules_in_dir from util to plugableJan Cholasta2015-07-012-24/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-0116-20/+8
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Move plugin base class and override logic to APIJan Cholasta2015-07-015-264/+144
| | | | | | | | | | | | Each API object now maintains its own view of registered plugins. This change removes the need to register plugin base classes. This reverts commit 2db741e847c60d712dbc8ee1cd65a978a78eb312. https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Remove ID overrides for permanently removed users and groupsTomas Babej2015-07-013-5/+40
| | | | | | | | | For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Allow users specify the raw anchor directly as identifierTomas Babej2015-07-011-11/+31
| | | | | | | | | | | | | | For various reasons, it can happen that the users or groups that have overrides defined in a given ID view are no longer resolvable. Since user and group names are used to specify the ID override objects too by leveraging the respective user's or group's ipaUniqueID, we need to provide a fallback in case these user or group entries no longer exist. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Set dcerpc detection flag properlyTomas Babej2015-07-011-1/+3
| | | | | | | | | The availability of dcerpc bindings is being checked on the client side as well, hence we need to define it properly. https://fedorahosted.org/freeipa/ticket/5025 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* v2 improve processing of invalid data.Ludwig Krispenz2015-07-013-14/+43
| | | | | | | | | reject attempts to add segments to suffixes, which do not exist or are not configured. check completenes and validity of segment attributes cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Migrate CA profiles after enabling LDAPProfileSubsystemFraser Tweedale2015-07-012-29/+112
| | | | | | | After enabling LDAPProfileSubsystem in Dogtag, migrate the file-based profiles into the LDAP database. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade CA schema during upgradeFraser Tweedale2015-07-012-3/+26
| | | | | | | | | | | | New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Store time & date key metadata in UTC.Petr Spacek2015-07-011-1/+7
| | | | | | | | | OpenDNSSEC stores key metadata in local time zone but BIND needs timestamps in UTC. UTC will be stored in LDAP. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Don't rely on positional arguments for python-kerberos callsRob Crittenden2015-07-011-1/+2
| | | | | | | | | | | | | Upstream PyKerberos uses a different argument ordering than from the patch that Fedora/RHEL was carrying for authGSSClientInit(). Using named arguments provides forwards and backwards compatibility. https://fedorahosted.org/freeipa/ticket/5085 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Sanitize CA replica installMartin Basti2015-06-301-12/+10
| | | | | | | | Check if cafile exist first. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Clear SSSD caches when uninstalling the clientGabe2015-06-302-0/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* increase NSS memcache timeout for IPA serverMartin Babinsky2015-06-301-0/+9
| | | | | | | | | Increasing memcache timeout to 600 seconds when configuring sssd on IPA server should improve performance when dealing with large groups in trusts. https://fedorahosted.org/freeipa/ticket/4964 Reviewed-By: Martin Basti <mbasti@redhat.com>
* v2 clear start attr from segment after initializationLudwig Krispenz2015-06-304-0/+129
| | | | | | | | | | | | | Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a segment. But this field remained in the segment and after restart the init would be executed again. see Ticket #5065 To fix this the field is cleared: - after a backend comes back online after being initialized - since there is a delay and the sending server could be restarted in between, the field is also scheced and renḿoved at startup Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Fix upgrade of HTTPInstance for KDC ProxyChristian Heimes2015-06-291-0/+6
| | | | | | | HTTPInstance needs a LDAP connection for KDC Proxy upgrade. The patch ensures that an admin_conn is available. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Fix removal of ipa-kdc-proxy.conf symlinkChristian Heimes2015-06-292-2/+2
| | | | | | | installutils.remove_file() ignored broken symlinks. Now it uses os.path.lexists() to detect and also remove dangling symlinks. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* fix coverity issuesLudwig Krispenz2015-06-291-1/+13
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-kdb: common function to get key encodings/salt typesMartin Babinsky2015-06-292-70/+62
| | | | | | | | | | | This patch moves duplicate code in `ipadb_get_connection` to get default and supported key encodings/salt types from Kerberos container to a common function handling this task. It is actually a small cosmetic enhancement of the fix of https://fedorahosted.org/freeipa/ticket/4914 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: fix doc errorFraser Tweedale2015-06-291-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Verify replication topology for a suffixPetr Vobornik2015-06-294-2/+94
| | | | | | | | | | | | Checks done: 1. check if the topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than a recommended number of replication agreements(4) https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: David Kupka <dkupka@redhat.com>
* topology: check topology in ipa-replica-manage delPetr Vobornik2015-06-293-6/+166
| | | | | | | | | | | | ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: David Kupka <dkupka@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-292-16/+4
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: Improve ipa-ods-exporter log messages with key metadata.Petr Spacek2015-06-291-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.Petr Spacek2015-06-291-45/+57
| | | | | | | | | | | | | New exporter's command 'ipa-full-update' will resynchronize all zone keys from ODS database to LDAP. This command holds database lock for the whole time to avoid race conditions so it should be used only in special cases, e.g. during master server migration. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: log ipa-ods-exporter file lock operations into debug logPetr Spacek2015-06-291-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-ods-exporter: move zone synchronization into separate functionPetr Spacek2015-06-291-60/+64
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Accept ipa-ods-exporter commands from command line.Petr Spacek2015-06-291-36/+60
| | | | | | | | | | Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Detect invalid master keys in LDAP.Petr Spacek2015-06-291-0/+1
| | | | | | | | This should never happen ... https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add python-setuptools to requiresPetr Vobornik2015-06-291-0/+1
| | | | | | | | | | | Commit 9f049ca14403f3696d54d186e6b1b15181f055df introduced dependency on python-setuptools on line: from pkg_resources import parse_version This dependency is missing on minimal installation and then ipa-server-upgrade fails on rpm install/upgrade. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add hint how to re-run IPA upgrade.Petr Spacek2015-06-291-1/+1
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* correct management of one directional segmentsLudwig Krispenz2015-06-295-39/+160
| | | | | | | | | | this patch contains the following improvements: check for existing segments works for all combinations of one directional and bidirectional segments rdns of replication agreements generated from one directional segments are preserves after merging of segments, so that deletion of the segment deletes the corresponding replication agreements Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* User life cycle: permission to delete a preserved userroot2015-06-292-0/+12
| | | | | | | | Add permission to delete an entry from Delete container https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Martin Basti <mbasti@redhat.com>
* upgrade: Raise error when certmonger is not running.David Kupka2015-06-291-0/+3
| | | | | | | | | | Certmonger should be running (should be started on system boot). Either user decided to stop it or it crashed. We should just error out and let user check & fix it. https://fedorahosted.org/freeipa/ticket/5080 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add ACI to allow hosts to add their own servicesRob Crittenden2015-06-292-3/+7
| | | | | | | | | | | Use wildcards and DN matching in an ACI to allow a host that binds using GSSAPI to add a service for itself. Set required version of 389-ds-base to 1.3.4.0 GA. https://fedorahosted.org/freeipa/ticket/4567 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-05 10:37:38 +0000