freeipa.git - FreeIPA project

	Commit message (Collapse)	Author	Age	Files	Lines
*	Support OTP in form based authtestotp	Petr Vobornik	2014-02-11	1	-6/+32
\| \| \| \| \| \|	OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369
*	Added QRcode generation to Web UI	Petr Vobornik	2014-02-11	9	-7/+246
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3369
*	UI for managing user-auth types	Petr Vobornik	2014-02-11	2	-0/+12
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3369
*	UI for radius proxy	Petr Vobornik	2014-02-11	6	-1/+147
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3369
*	UI for OTP tokens	Petr Vobornik	2014-02-11	7	-11/+339
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3369
*	Fix handling of action visibility change in action panel	Petr Vobornik	2014-02-11	1	-0/+18
\|
*	Use general password dialog for host OTP	Petr Vobornik	2014-02-11	1	-136/+16
\|
*	Password Dialog	Petr Vobornik	2014-02-11	4	-1/+351
\|
*	Fixed doc examples in Spec_mod	Petr Vobornik	2014-02-11	1	-1/+3
\|
*	Declarative replacement of array item in specification object	Petr Vobornik	2014-02-11	1	-1/+49
\| \| \| \| \| \|	This patch adds option to define which item of which array attribute of specification object will be replaced by a new value. The difference between combination of $add and $del is that it keeps position of that item in the array.
*	Added empty value meaning to boolean formatter	Petr Vobornik	2014-02-11	2	-4/+20
\| \| \| \| \| \| \|	Boolean object properties can have different default meaning for not defined value. This patch allows to defined this meaning to `boolean_formatter` by introduction of `emty_value` property. `boolean_state_evaluator` was modified to leverage it as well.
*	Teach ipa-pwd-extop to respect global ipaUserAuthType settings	Nathaniel McCallum	2014-02-11	7	-399/+398
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4105
*	Add OTP sync support to ipa-pwd-extop	Nathaniel McCallum	2014-02-11	9	-970/+373
\|
*	ACIs for HOTP support	Alexander Bokovoy	2014-02-11	3	-2/+4
\|
*	Add HOTP support	Nathaniel McCallum	2014-02-11	5	-19/+64
\|
*	Add OTP last token plugin	Nathaniel McCallum	2014-02-10	8	-0/+235
\| \| \| \| \| \| \| \|	This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch.
*	Add libotp internal library for slapi plugins	Nathaniel McCallum	2014-02-10	8	-0/+970
\|
*	Enable building in C99 mode	Nathaniel McCallum	2014-02-10	3	-3/+3
\| \| \| \| \| \| \| \| \| \| \|	C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention...
*	ipa-kdb: validate that an OTP user has tokens	Nathaniel McCallum	2014-02-10	3	-25/+135
\| \| \| \| \| \| \| \| \| \|	This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154
*	Update ACIs to permit users to add/delete their own tokens	Nathaniel McCallum	2014-02-10	3	-3/+5
\|
*	ipatests: Stop sssd service before deleting the cache	Tomas Babej	2014-02-10	1	-2/+2
\| \| \| \| \| \| \| \|	In the integration tests, we do not stop the sssd service before deleting the cache, but rather start it. We need to stop sssd before deleting the cache. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
*	ipatests: Make sure we re-kinit as admin before adding the disabledipauser	Tomas Babej	2014-02-10	1	-0/+2
\| \| \| \| \| \| \| \| \|	When we add the disabledipauser during the setup class part of the BaseTestLegacyClient, we need to make sure that we re-kinit admin since we do ntpsync with the AD just before that, which can render the previous ticket invalid. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
*	ipatests: Perform a connection test before preparing the client	Tomas Babej	2014-02-10	1	-0/+4
\| \| \| \| \| \| \| \| \| \| \| \|	When the host is down, the preparation of the host fails. This produces misleading errors, since the test framework reports that the actual command being executed failed, when in fact (in case of SSHTransport), the cause of failure was unability to establish a SSH session. https://fedorahosted.org/freeipa/ticket/4132 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
*	ipatests: legacy_clients: Test legacy clients with non-posix trust	Tomas Babej	2014-02-10	1	-13/+76
\| \| \| \| \| \| \| \| \|	Adds test cases for legacy client support with IPA that has estabilish trust with AD that does not leverage POSIX attributes defined on AD. https://fedorahosted.org/freeipa/ticket/4134 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
*	Remove sourcehostcategory from the default HBAC rule.	Jan Cholasta	2014-02-06	2	-2/+1
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Migration does not add users to default group	Martin Kosek	2014-02-05	1	-7/+10
\| \| \| \| \| \| \| \| \| \|	When users with missing default group were searched, IPA suffix was not passed so these users were searched in a wrong base DN. Thus, no user was detected and added to default group. https://fedorahosted.org/freeipa/ticket/4141 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	ipatests: Run restoring backup files and restoring their context in one session	Tomas Babej	2014-02-05	1	-10/+14
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Restoring backup files and restoring their context were two separate commands, what means that in case we use SSHTrasport, which creates a separate SSH session for each command, we try to restore the SELinux context of the changed files in a new session. This causes problems, if the access to files themselves are necessary for the creation of the new SSH session. https://fedorahosted.org/freeipa/ticket/4133 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	ipatests: Add records for all hosts in master's domain	Tomas Babej	2014-02-05	3	-0/+62
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	All the hosts in the domain have IPA master set as their only nameserver. However, the IPA master does not create records for these machines by default. This is not an big issue for clients or replicas, since those records do get created in other ways, but external hosts using their internal hostnames will not resolve. Adds an A record for each host in master's domain. https://fedorahosted.org/freeipa/ticket/4130 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	ipatests: test_legacy_clients: Change "test group" to "testgroup"	Tomas Babej	2014-02-05	1	-2/+2
\| \| \| \| \| \| \| \| \| \|	The integration test for legacy clients used incorrectly "test group" instead of "testgroup" as group used on AD for test purposes. This is inconsistent with the usage of "testuser". https://fedorahosted.org/freeipa/ticket/4131 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	ipa tool: Print the name of the server we are connecting to with -v	Petr Viktorin	2014-02-05	2	-3/+8
\| \| \| \| \| \| \| \| \| \| \| \| \|	The logging level for these messages was decreaed so that they do not show up in ipa-advise output. Reset the log level to INFO and configure ipa-advise to not display INFO messages from xmlclient by default. Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be https://fedorahosted.org/freeipa/ticket/4135 Reviewed-By: Tomáš Babej <tbabej@redhat.com>
*	integration tests OpenSSHTransport: Expand tilde to home in ↵	Petr Viktorin	2014-02-05	1	-1/+2
\| \| \| \| \| \| \| \| \|	root_ssh_key_filename Expand paths beginning with a tilde, such as the default ~/.ssh/id_rsa, to the home directory. https://fedorahosted.org/freeipa/ticket/4115
*	ipa-lockout: do not fail when default realm cannot be read	Martin Kosek	2014-02-04	1	-17/+17
\| \| \| \| \| \| \| \| \| \| \|	When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
*	Fallback to global policy in ipa-lockout plugin	Martin Kosek	2014-02-03	1	-0/+34
\| \| \| \| \| \| \| \| \| \|	krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
*	Use reserved domain names for tests	Petr Spacek	2014-01-30	1	-31/+38
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4139
*	Rename variables in test xmlrpc/dns_plugin	Petr Spacek	2014-01-30	1	-479/+486
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4139
*	Use private IPv4 addresses for tests	Petr Spacek	2014-01-30	1	-48/+63
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4139
*	BUILD: Fix portability of NSS in file ipa_pwd.c	Lukas Slebodnik	2014-01-28	3	-5/+8
\| \| \| \|	Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
*	Remove working directory for bind-dyndb-ldap plugin.	Petr Spacek	2014-01-27	3	-18/+1
\| \| \| \| \| \| \| \| \|	The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
*	Limit memberOf and refInt DS plugins to main IPA suffix.	Petr Spacek	2014-01-27	2	-4/+15
\| \| \| \| \| \|	This drastically improves performance of retro changelog trimming. https://fedorahosted.org/freeipa/ticket/3967
*	Convert remaining frontend code to LDAPEntry API.	Jan Cholasta	2014-01-24	28	-344/+364
\|
*	Raise an exception when legacy LDAP API is used.	Jan Cholasta	2014-01-24	1	-19/+12
\|
*	Convert remaining test code to LDAPEntry API.	Jan Cholasta	2014-01-24	2	-5/+5
\|
*	Convert remaining update code to LDAPEntry API.	Jan Cholasta	2014-01-24	8	-28/+25
\|
*	Convert remaining installer code to LDAPEntry API.	Jan Cholasta	2014-01-24	11	-56/+59
\|
*	Get original entry state from LDAP in LDAPUpdate.	Jan Cholasta	2014-01-24	1	-1/+6
\|
*	ntpconf: remove redundant comment	Martin Kosek	2014-01-24	1	-2/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4094
*	Fix ntpd config on clients.	Jan Cholasta	2014-01-24	2	-1/+11
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4094
*	CLDAP: add unit tests for make_netbios_name	Sumit Bose	2014-01-23	2	-0/+87
\|
*	CLDAP: generate NetBIOS name like ipa-adtrust-install does	Sumit Bose	2014-01-23	2	-14/+35
\| \| \| \|	Fixes https://fedorahosted.org/freeipa/ticket/4116
*	ipa-replica-install: Move check for existing host before DNS resolution check	Petr Viktorin	2014-01-23	1	-15/+24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The checks for existing host and existing replication agreement set a flag that caused an exit() if any of them failed. Between these checks there was an unrelated check, DNS resolution. If the host and DNS checks both failed, this made it look like the DNS check was the cause of failed install. Especially if the user ignored the DNS check in unattended mode, the output was confusing. Remove the flag and fail directly. Do the replication agreement check first; fixing this with ipa-replica-manage del will also remove the host entry. Also, use the logger for error messages so they appear in the log file as well as on the console. https://fedorahosted.org/freeipa/ticket/3889