| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding.
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
|
|
|
| |
As find_entry_by_attr no longer adds $SUFFIX to searched base DN,
trustconfig-mod could not find POSIX group to when validating the
new ipantfallbackprimarygroup value. This patch fixes this
regression.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added flag for each groups type: --posix, --nonposix, --external to group-find command.
Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup
https://fedorahosted.org/freeipa/ticket/3483
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3554
|
|
|
|
|
|
|
|
|
|
|
|
| |
Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set.
Can be reproduced by opening 'Modify Automount maps' permission.
The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong.
Fixed by running target_mapping action only for visible targets.
https://fedorahosted.org/freeipa/ticket/3527
|
|
|
|
|
|
|
| |
Find out Kerberos middle version to infer ABI changes in DAL driver.
We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
| |
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
|
|
|
|
|
|
|
|
|
|
| |
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
|
| |
|
|
|
|
|
|
|
|
|
| |
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
| |
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.
https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
|
| |
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
|
|
|
|
|
|
|
|
|
| |
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3536
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
|
|
|
|
| |
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/CA-less_install
https://fedorahosted.org/freeipa/ticket/3363
|
| |
|
|
|
|
|
| |
Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wrapper
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.
In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead, certificates in pkcs12 files can be given to set up
IPA with no CA at all.
Use a flag, setup_ca, to signal if a CA is being installed.
Design: http://freeipa.org/page/V3/Drop_selfsign
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
installation
We pass names of files with pkcs12 pins to installers which may continue to
use the files after the initial call to create_instance, at which point
the installer has already removed them.
Also, some of the files were not properly removed on failure.
Use ipautil.write_tmp_file for the pin files, which returns a
NamedTemporaryFile object that removes the underlying file when it is
garbage-collected.
Create the files at start of installation. This will allow checking
the pkcs#12 files before the system is modified.
|
|
|
|
|
|
|
|
|
|
| |
As described on http://www.freeipa.org/page/V3/MultipleTrustServers,
notice if FreeIPA server is a replica and adtrust agents contains members
corresponding to the cifs/ services from replication partners.
Only these servers will be advertised as SMB domain controllers
https://fedorahosted.org/freeipa/ticket/2189
|
|
|
|
|
|
|
|
|
| |
ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD']
New nesting feature of radios/checkboxes was used to handle mutual exclusivity between
['MS-PAC', 'PAD'], 'NONE' and ''.
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
|
|
|
|
|
| |
New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone.
checkbox_widget, checkboxes_widget, radio_widget were modified to use it.
Built as a prerequisite for:
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
|
|
|
|
|
|
| |
Certificate parsed out of sslget request to pki-ca was not always
properly formatted and it may still contain DOS line ending. Make
sure that the certificate is printed with correct line ending.
|
|
|
|
|
| |
Fedora 19 splitted /var/run and /run directories. Update mod_wsgi
configuration so that it generates its sockets in the right one.
|
|
|
|
|
|
|
|
|
| |
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
|
|
|
|
|
|
|
|
| |
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
|
|
|
| |
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
cluttering rpm update output
* Remove httpd_conf constant which was not used
https://fedorahosted.org/freeipa/ticket/3502
|
|
|
|
|
|
|
|
| |
cmocka is a more advanced unit test framework for C-code than the
currently used check framework. This patch adds configure checks and
makefile variables so that new unit tests can use cmocka.
Fixes https://fedorahosted.org/freeipa/ticket/3434
|
|
|
|
|
|
|
| |
Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.
https://fedorahosted.org/freeipa/ticket/3515
|
|
|
|
|
|
| |
The higher version is reported to fix a Fedora 17 to 18 upgrade issue.
https://fedorahosted.org/freeipa/ticket/3399
|
|
|
|
|
|
|
|
|
| |
The following is mentioned in the log now:
- existence of host entry (if it already does exist)
- missing krbprincipalname and its new value (if there was no
principal name set)
https://fedorahosted.org/freeipa/ticket/3481
|
|
|
|
|
|
|
|
|
|
| |
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment
https://fedorahosted.org/freeipa/ticket/3482
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent LDAP refactoring replaced entry_attrs regular dict with
normalized keys (i.e. lowercase) with LDAPEntry instance which keys
may not be normalized. This broke CND command output when
--structured and --all options were used.
Force lowercase normalization of the LDAPEntry keys in DNS plugin
structured format postprocessing. Also add a missing test for
DNS record structured output.
https://fedorahosted.org/freeipa/ticket/3526
|
|
|
|
|
|
|
|
| |
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.
https://fedorahosted.org/freeipa/ticket/3497
|
|
|
|
|
|
|
|
|
|
| |
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
|
|
|
|
|
|
|
|
|
| |
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
|