summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
...
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-7/+6
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-151-0/+13
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341
* Add ipa_memcached serviceJohn Dennis2012-02-091-0/+22
| | | | | | | | | | | | | | | | | | | | | | | * Adds ipa_memcached SystemV initscript * Adds ipa_memcached service file and tmpfiles.d/ipa.conf to recreate /var/run/ipa_memcached on reboot. * Adds ipa_memcached config file * Adds memcacheinstnace.py to manage ipa_memcaced as as SimpleService object. * Updates the IPA service list to include ipa_memcached, at service positon 39, httpd is position 40 * Updates the spec file: - requires the memcached daemon and python client - installs service or initscripts depending on OS - installs config file - creates /var/run/ipa_memcached directory * Modifies ipa-server-install to install ipa_memcached
* %ghost the UI files that we install/create on the flyRob Crittenden2012-01-311-0/+15
| | | | https://fedorahosted.org/freeipa/ticket/1764
* Update and package ipa-upgradeconfig man page.Rob Crittenden2012-01-231-0/+1
| | | | | | | Require that the tool be run as root to avoid a permission-related backtrace. https://fedorahosted.org/freeipa/ticket/1758
* slapi-plugins: use thread-safe ldap librarySimo Sorce2012-01-131-1/+1
|
* Configure s4u2proxy during installation.Rob Crittenden2012-01-101-1/+4
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Fix dependency for samba4-devel packageAlexander Bokovoy2011-12-091-1/+4
|
* Add ipasam samba passdb backendSumit Bose2011-12-061-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1874
* spec: We do not need krb5-server-ldap anymoreSimo Sorce2011-11-291-1/+0
| | | | We now use our own ipa-kdb DAL driver
* Add plugin framework to LDAP updates.Rob Crittenden2011-11-221-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
* Create skeleton CLDAP server as a DS pluginSimo Sorce2011-11-211-6/+9
|
* Removed develop.js.Endi S. Dewata2011-11-141-0/+4
| | | | | | | | | | The develop.js is no longer necessary because the code in it has been merged into the main code. An empty extension.js has been added to provide a place for UI customization. Ticket #2099
* Add support for generating PAC for AS requests for user principalsSimo Sorce2011-11-071-0/+1
|
* Fixed inconsistent image names.Endi S. Dewata2011-10-271-2/+6
| | | | | | | The images have been renamed to be more consistent and moved into the "images" directory to mimic the original jQuery UI structure. Ticket #1613
* Removed HBAC deny rule warning.Endi S. Dewata2011-10-261-4/+3
| | | | | | | The HBAC deny rule is no longer supported so it's no longer necessary to show the warning. Ticket #1444
* Update spec file to use systemd on Fedora 16 and aboveAlexander Bokovoy2011-10-241-1/+74
|
* Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)Rob Crittenden2011-10-131-1/+4
|
* Force the upgrade of pki-setup when upgrading the RPMSAdam Young2011-10-091-2/+6
|
* 25 Create Tool for Enabling/Disabling Managed Entry PluginsJR Aquino2011-09-211-2/+2
| | | | | | | | Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool https://fedorahosted.org/freeipa/ticket/1181
* Change the Requires for the server and server-selinux for proper orderRob Crittenden2011-09-151-2/+3
| | | | | | | | | | The server package needs to be installed before the server-selinux package otherwise the SELinux contexts won't get set properly. The (postun) is so you can continue to do yum erase freeipa-python and it will pick up everything else. https://fedorahosted.org/freeipa/ticket/1779
* Add ipa-adtrust-install utilitySumit Bose2011-09-141-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1619
* Introduce platform-specific adaptation for services used by FreeIPA.Alexander Bokovoy2011-09-131-0/+5
| | | | | | | | | Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605
* Set bind and bind-dyndb-ldap min nvrMartin Kosek2011-09-091-0/+9
| | | | | | | | This is a soft dependency, min nvr version will only be required when bind/bind-dyndb-ldap are installed. https://fedorahosted.org/freeipa/ticket/1121 https://fedorahosted.org/freeipa/ticket/1573
* Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605Rob Crittenden2011-08-301-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1576
* enable proxy for dogtagAdam Young2011-08-291-0/+3
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505Rob Crittenden2011-08-281-3/+6
| | | | https://fedorahosted.org/freeipa/ticket/1686
* daemons: Remove ipa_kpasswdSimo Sorce2011-08-261-9/+6
| | | | | | Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
* ipa-kdb: Initial plugin skeletonSimo Sorce2011-08-261-0/+2
|
* Add subscription-manager dependency for RHEL.Jan Cholasta2011-08-231-0/+6
| | | | ticket 1664
* Update pki-ca versionMartin Kosek2011-08-121-2/+3
| | | | | | | Bump minimal pki-ca version in spec file to get fix for ipa cert-request command. https://fedorahosted.org/freeipa/ticket/1578
* Update 389-ds-base versionMartin Kosek2011-08-111-2/+6
| | | | | | | | | Bump minimal 389-ds-base version in spec file to get in recent Directory Server bug fixes. https://fedorahosted.org/freeipa/ticket/1513 https://fedorahosted.org/freeipa/ticket/1525 https://fedorahosted.org/freeipa/ticket/1552
* Fix client enrollmentMartin Kosek2011-08-111-2/+27
| | | | | | | | Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client enrollment. The unconditional GSSAPI was previously dropped from curl because of CVE-2011-2192. https://fedorahosted.org/freeipa/ticket/1452
* Fixed missing icons.Endi S. Dewata2011-08-021-0/+4
| | | | | | | The Makefile.am and the spec file have been fixed to include all icons in the install/ui folder. Ticket #1559
* Fix date order in changelog.Rob Crittenden2011-07-281-1/+1
|
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profileRob Crittenden2011-07-291-2/+6
| | | | | | | The caIPAserviceCert.cfg was updated to set the client cert flag on server certs we issue. https://fedorahosted.org/freeipa/ticket/1434
* Add an arch-specific Requires on cyrus-sasl-gssapiRob Crittenden2011-07-241-2/+5
| | | | | | | | If you had a 64-bit system and installed a 32-bit version of IPA then ipa-getkeytab probably wouldn't work because yum wouldn't know to pull in the 32-bit version of cyrus-sasl-gssapi. https://fedorahosted.org/freeipa/ticket/1499
* Removed custom layouts using HTML templates.Endi S. Dewata2011-07-211-3/+0
| | | | | | | The code for supporting custom layouts using HTML templates has been removed. If it's needed again in the future the code can be restored. Ticket #1501
* Update minimum required version of python-netaddr.Jan Cholasta2011-07-171-0/+8
| | | | ticket 1288
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* HBAC deny warningAdam Young2011-07-061-0/+7
| | | | | | | | shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red. Only shows up fro administrators, not for self service users. https://fedorahosted.org/freeipa/ticket/1421
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-231-0/+5
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Multi-process build problemsMartin Kosek2011-06-191-2/+2
| | | | | | | | Fix a problem when a target missed a version-update requirement. This caused build problems, especially in a parallel build environment. https://fedorahosted.org/freeipa/ticket/1215
* Fixed build break.Endi S. Dewata2011-06-151-1/+4
| | | | | The Makefile.am freeipa.spec.in have been updated according to the recent file changes.
* Connection check program for replica installationMartin Kosek2011-06-081-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-0/+1
| | | | ticket 1212
* Update min nvr for selinux-policy and pki-ca for F-15+Rob Crittenden2011-05-131-2/+15
| | | | | | Done with conditionals so still installable on F-14. ticket 1200
* Update spec with missing BuildRequires for pylint checkMartin Kosek2011-05-051-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/1203
* Bump version to 2.0.90 to distinguish between 2.0.xRob Crittenden2011-05-031-0/+3
|
generated by cgit (git 2.34.1) at 2024-05-24 02:08:57 +0000