summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add verification of the AD trustAlexander Bokovoy2012-09-172-8/+35
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Only stop the main DS instance when upgrading itPetr Viktorin2012-09-171-5/+10
| | | | | | | | | | | | | | We've been stopping both DS instances (main and PKI) when upgrading. This can happen while the CA is running. In some cases stopping the PKI DS also killed the CA. Only stop the specific instance for upgrades. Also, wait for open ports after the upgrade is complete. The wait was skipped previously. This can prevent bugs if scripts that need a DS are run after the upgrade. https://fedorahosted.org/freeipa/ticket/3083
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-1724-137/+515
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-1720-239/+224
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Properly convert DN in ipa-client-installMartin Kosek2012-09-181-1/+1
| | | | | | | | | | | ipa-client-install crashed when IPA server anonymous access was disabled and base DN was thus generated via realm_to_suffix function which, however, returns a DN object and not string. DN was converted to string, ipa-client-install no longer crashes in this scenario. https://fedorahosted.org/freeipa/ticket/3088
* Fix various typos.Yuri Chornoivan2012-09-1821-30/+30
| | | | https://fedorahosted.org/freeipa/ticket/3089
* When deleting a master, try to prevent orphaning other servers.Rob Crittenden2012-09-172-1/+98
| | | | | | | | | | | | | | | | | If you have a replication topology like A <-> B <-> C and you try to delete server B that will leave A and C orphaned. It may also prevent re-installation of a new master on B because the cn=masters entry for it probably still exists on at least one of the other masters. Check on each master that it connects to to ensure that it isn't the last link, and fail if it is. If any of the masters are not up then warn that this could be a bad thing but let the user continue if they want. Add a new option to the del command, --cleanup, which runs the replica_cleanup() routine to completely clean up references to a master. https://fedorahosted.org/freeipa/ticket/2797
* Run the CLEANALLRUV task when deleting a replication agreement.Rob Crittenden2012-09-177-30/+343
| | | | | | | | | | | | This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv list-ruv can be use to list the update vectors the master has configugured clean-ruv can be used to fire off the CLEANRUV task to remove a replication vector. It should be used with caution. https://fedorahosted.org/freeipa/ticket/2303
* Expand Referential Integrity checksMartin Kosek2012-09-1610-5/+445
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866
* Run index task in ldap updater only when neededMartin Kosek2012-09-161-6/+9
| | | | | | | | | | | | | When LDAP updater detected an update instruction in indexing tree, it run an indexing task and waited until it ends. However, the task was run regardless of the update instruction result. This lead to unnecessary index tasks being defined and waited for which makes the whole LDAP last longer. Execute indexing task only when an index add/update instruction is successful. https://fedorahosted.org/freeipa/ticket/2866
* Amend memberAllowCmd and memberDenyCmd attribute typesMartin Kosek2012-09-162-2/+4
| | | | | | | | | | | Attribute types of attributes designed to hold DN values are not supposed to hold own ORDERING or SUBSTR matching rules (which were even not correct in this case). Update these attributes to only define an EQUALITY rule just like other DN attribute types in IPA. https://fedorahosted.org/freeipa/ticket/2866
* Add attributeTypes to safe schema updaterMartin Kosek2012-09-161-29/+39
| | | | | | | | | | | AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch just like ObjectClass attribute which is already being normalized before an update value is compared with update instructions. Expand safe schema updater routine to cover both ObjectClasses and AttributeTypes updates. https://fedorahosted.org/freeipa/ticket/2440
* Fix addattr internal errorMartin Kosek2012-09-162-1/+21
| | | | | | | | | | | When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429
* ipasam: Fixes build with samba4 rc1Sumit Bose2012-09-142-11/+14
|
* Update the pot file (translation source)Petr Viktorin2012-09-121-1433/+2004
| | | | Generated by running `make update-pot` in install/po
* JSON serialization of long typePetr Vobornik2012-09-131-1/+1
| | | | | | Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it. Discovered after "Cast DNS SOA serial maximum boundary to long"
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-136-32/+63
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Add the SSH service to SSSD config file before trying to activate it.Jan Cholasta2012-09-131-2/+6
| | | | ticket 3069
* Use temporary key cache for host key in server installationPetr Viktorin2012-09-131-1/+2
| | | | This fixes an oversight in the earlier patch
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-133-5/+8
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Make sure selinuxusemap behaves consistently to HBAC ruleTomas Babej2012-09-122-18/+237
| | | | | | | | | Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983
* Fix server installationPetr Viktorin2012-09-111-2/+10
| | | | | The fix to ticket #2982 removed a kinit call when the client was installed as part of a master. Re-add the kinit call in this case.
* Prevent opening of multiple dirty dialogs on navigationPetr Vobornik2012-09-121-0/+5
| | | | | | | | Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog. Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet. https://fedorahosted.org/freeipa/ticket/2667
* ipa-client-install: Obtain host TGT from one specific KDCPetr Viktorin2012-09-101-15/+39
| | | | | | | | | | | | | | | | When clients install, they use kinit to obtain a TGT, which uses DNS to find the KDC to connect to. It might happen that the newly created principal has not replicated to selected KDC yet, making kinit fail and aborting the install. The client sets a temporary krb5 config file while installing via $KRB5_CONFIG. Modify this file so that the kerberos library only uses the specific server we're installing under, and call kinit while it's still in place. Clean up the configure_krb5_conf function to remove unused arguments. For clarity, use keyword arguments when calling it. https://fedorahosted.org/freeipa/ticket/2982
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-065-19/+11
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-0612-90/+464
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Fix some restart script issues found with certificate renewal.Rob Crittenden2012-09-063-1/+20
| | | | | | | | | | | | | | The restart_dirsrv script wasn't initializing the api so the startup_timeout wasn't available. The subsystemCert cert-pki-ca definition was missing so we didn't know which certificate to update in CS.cfg. Add some documentation and a pause between restarts for the renew_ca_cert script so that when the CA subsystem certs are renewed they don't all try to restart the CA at the same time. https://fedorahosted.org/freeipa/ticket/3006
* Trust CLI: mark trust-mod for future useSumit Bose2012-09-071-1/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2968
* Trust CLI: return more details of added trustSumit Bose2012-09-071-0/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2971
* Trust CLI: Return more details when searching trustsSumit Bose2012-09-071-0/+13
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2970
* Do not create trust if murmur hash is not available and base-id not givenSumit Bose2012-09-071-6/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3018
* IDRange CLI: Add documentationSumit Bose2012-09-071-2/+127
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2969
* IDRange CLI: allow to work without argumentsSumit Bose2012-09-072-7/+17
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2999
* Rename range CLI to idrangeSumit Bose2012-09-0719-154/+154
|
* Cast DNS SOA serial maximum boundary to longMartin Kosek2012-09-072-4/+4
| | | | | | This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type.
* Update DNS zone allow-query validation testMartin Kosek2012-09-071-2/+2
| | | | | localhost and localnets ACIs are now allowed. Update the respective unit test.
* Set the e-mail attribute using the default domain name by defaultRob Crittenden2012-09-0710-7/+58
| | | | https://fedorahosted.org/freeipa/ticket/2810
* Add version to replica prepare file, prevent installing to older versionRob Crittenden2012-09-075-7/+21
|
* Add range safety check for range_mod and range_delMartin Kosek2012-09-062-7/+225
| | | | | | | | | | | | | range_mod and range_del command could easily create objects with ID which is suddenly out of specified range. This could cause issues in trust scenarios where range objects are used for computation of remote IDs. Add validator for both commands to check if there is any object with ID in the range which would become out-of-range as a pre_callback. Also add unit tests testing this new validator. https://fedorahosted.org/freeipa/ticket/2919
* Update of confirmation of actionsPetr Vobornik2012-09-066-10/+105
| | | | | | | | | | | This patch is changing confirmation of actions according to ticket #3035, see the ticket description. It does following changes: * Confirmation of update action was removed. * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry. * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations. https://fedorahosted.org/freeipa/ticket/3035
* Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning.Rob Crittenden2012-09-051-1/+5
| | | | | | | If the DB is bigger than nsslapd-cachememsize then a warning will be logged by 389-ds-base. https://fedorahosted.org/freeipa/ticket/2739
* Fix DNS SOA serial parameters boundariesMartin Kosek2012-09-064-20/+52
| | | | | | | Set correct boundaries for DNS SOA serial parameters (see RFC 1035, 2181). https://fedorahosted.org/freeipa/ticket/2568
* Transfer long numbers over XMLRPCMartin Kosek2012-09-062-8/+11
| | | | | | | | | | | | Numeric parameters in ipalib were limited by XMLRPC boundaries for integer (2^31-1) which is too low for some LDAP attributes like DNS SOA serial field. Transfer numbers which are not in XMLRPC boundary as a string and not as a number to workaround this limitation. Int parameter had to be updated to also accept Python's long type as valid int type. https://fedorahosted.org/freeipa/ticket/2568
* Support the new Winsync POSIX API.Rob Crittenden2012-09-062-6/+55
| | | | | | | | | | | This will sync down the POSIX attributes from AD so we need to be careful to not mess with them when they are already set. This includes uidNumber, gidNumber, homeDirectory, loginShell and gecos. http://port389.org/wiki/WinSync_Posix http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions https://fedorahosted.org/freeipa/ticket/3007
* Allow localhost in zone ACIs - Web UIPetr Vobornik2012-09-061-8/+2
| | | | | Loopback address, "localhost" and "localnets" ACIs are no longer an issue for bind-dyndb-ldap. Allow them in our Web UI validators as well.
* Allow localhost in zone ACIsMartin Kosek2012-09-061-6/+3
| | | | | Loopback address, "localhost" and "localnets" ACIs are no longer an issue for bind-dyndb-ldap. Allow them in our validators.
* Fixed problem while deleting entry with unsaved changesPetr Vobornik2012-09-062-0/+11
| | | | | | While deleting an entry it now resets a facet if there are unsaved changes. It prevents pop up of various error dialogs when UI tries to redirect to search page after successful delete. https://fedorahosted.org/freeipa/ticket/3047
* Generated metadata for testing updatedPetr Vobornik2012-09-062-144/+371
| | | | | | Testing metadata needs to be updated because of fix in json serialization. https://fedorahosted.org/freeipa/ticket/3052
* Added decimal checks to metadata validatorPetr Vobornik2012-09-063-3/+15
| | | | | | Medatadata validator didn't have check for decimal values. It was added. https://fedorahosted.org/freeipa/ticket/3052
* Fixed metadata serialization of Numbers and DNsPetr Vobornik2012-09-063-4/+8
| | | | | | | | There were following problems: 1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string. 2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended. https://fedorahosted.org/freeipa/ticket/3052
generated by cgit (git 2.34.1) at 2024-07-02 18:34:06 +0000