| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.
https://fedorahosted.org/freeipa/ticket/3369
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This patch adds option to define which item of which array attribute of specification object will be replaced by a new value.
The difference between combination of $add and $del is that it keeps position of that item in the array.
|
|
|
|
|
|
|
| |
Boolean object properties can have different default meaning for not defined
value. This patch allows to defined this meaning to `boolean_formatter` by
introduction of `emty_value` property. `boolean_state_evaluator` was modified
to leverage it as well.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4105
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
C99 is supported on all compilers we target and
provides some useful features, including:
* Standard struct initializers
* Compound literals
* For-loop declarations
* Standard bool type
* Variable arrays (use with caution)
* Too many others to mention...
|
|
|
|
|
|
|
|
|
|
| |
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.
https://fedorahosted.org/freeipa/ticket/4154
|
| |
|
|
|
|
|
|
|
|
| |
In the integration tests, we do not stop the sssd service
before deleting the cache, but rather start it. We need
to stop sssd before deleting the cache.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When we add the disabledipauser during the setup class part of the
BaseTestLegacyClient, we need to make sure that we re-kinit admin
since we do ntpsync with the AD just before that, which can render
the previous ticket invalid.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the host is down, the preparation of the host fails. This
produces misleading errors, since the test framework reports that
the actual command being executed failed, when in fact (in case
of SSHTransport), the cause of failure was unability to establish
a SSH session.
https://fedorahosted.org/freeipa/ticket/4132
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Adds test cases for legacy client support with IPA that has estabilish
trust with AD that does not leverage POSIX attributes defined on AD.
https://fedorahosted.org/freeipa/ticket/4134
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4158
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When users with missing default group were searched, IPA suffix was
not passed so these users were searched in a wrong base DN. Thus,
no user was detected and added to default group.
https://fedorahosted.org/freeipa/ticket/4141
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restoring backup files and restoring their context were two separate commands,
what means that in case we use SSHTrasport, which creates a separate SSH
session for each command, we try to restore the SELinux context of the
changed files in a new session.
This causes problems, if the access to files themselves are necessary
for the creation of the new SSH session.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All the hosts in the domain have IPA master set as their only
nameserver. However, the IPA master does not create records for
these machines by default. This is not an big issue for clients
or replicas, since those records do get created in other ways,
but external hosts using their internal hostnames will not resolve.
Adds an A record for each host in master's domain.
https://fedorahosted.org/freeipa/ticket/4130
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The integration test for legacy clients used incorrectly "test group"
instead of "testgroup" as group used on AD for test purposes. This
is inconsistent with the usage of "testuser".
https://fedorahosted.org/freeipa/ticket/4131
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The logging level for these messages was decreaed so that they
do not show up in ipa-advise output.
Reset the log level to INFO and configure ipa-advise to not display
INFO messages from xmlclient by default.
Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be
https://fedorahosted.org/freeipa/ticket/4135
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
| |
root_ssh_key_filename
Expand paths beginning with a tilde, such as the default ~/.ssh/id_rsa,
to the home directory.
https://fedorahosted.org/freeipa/ticket/4115
|
|
|
|
|
|
|
|
|
|
|
| |
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
|
|
|
|
|
|
| |
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4139
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4139
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4139
|
|
|
|
| |
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
|
|
|
|
|
|
|
|
|
| |
The working directory will be provided directly
by bind-dyndb-ldap package.
This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
https://fedorahosted.org/freeipa/ticket/3967
|
|
|
|
|
|
| |
This drastically improves performance of retro changelog trimming.
https://fedorahosted.org/freeipa/ticket/3967
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The checks for existing host and existing replication agreement
set a flag that caused an exit() if any of them failed.
Between these checks there was an unrelated check, DNS resolution.
If the host and DNS checks both failed, this made it look like
the DNS check was the cause of failed install. Especially if the user
ignored the DNS check in unattended mode, the output was confusing.
Remove the flag and fail directly.
Do the replication agreement check first; fixing this with
ipa-replica-manage del will also remove the host entry.
Also, use the logger for error messages so they appear in the log
file as well as on the console.
https://fedorahosted.org/freeipa/ticket/3889
|