summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
* ipasam: Fixes build with samba4 rc1Sumit Bose2012-09-141-1/+4
|
* Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning.Rob Crittenden2012-09-051-1/+5
| | | | | | | If the DB is bigger than nsslapd-cachememsize then a warning will be logged by 389-ds-base. https://fedorahosted.org/freeipa/ticket/2739
* Adds dependency on samba4-winbind.Tomas Babej2012-08-221-0/+4
| | | | | Dependency on samba4-winbind has been added to the package freeipa-server-trust-ad.
* Use libsamba-security instead of libsecuritySumit Bose2012-08-221-1/+1
| | | | | In samba4-beta6 the name of a library was changed from libsecurity to libsamba-security.
* Fix client-only buildMartin Kosek2012-08-171-1/+1
| | | | | | Client-only build unconditionally touched some files from freeipa-server package and thus the installation crashed. Fix spec file to enable client-only builds like "make client-rpms".
* Bump bind-dyndb-ldap version in spec fileMartin Kosek2012-08-171-1/+5
| | | | | | The updated version of the BIND LDAP plugin includes completed support of DNS zone transfers. With the new version, users will be able to configure slave DNS servers for IPA master DNS server.
* Bump bind-dyndb-ldap version for F18Martin Kosek2012-08-021-0/+8
| | | | | | | | | bind-dyndb-ldap with SOA serial autoincrement was released. Bump the package version in the spec file. The version is bumped for F18 only as it was released only to rawhide and we don't want to break development on F17. https://fedorahosted.org/freeipa/ticket/2554
* Use certmonger to renew CA subsystem certificatesRob Crittenden2012-07-301-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
* Add all external samba libraries to BuildRequiresSimo Sorce2012-07-251-1/+2
| | | | | Also move them in the right spot (if ! only client) so that they are required only when building the server.
* Add libtalloc-devel as spec file BuildRequireSimo Sorce2012-07-241-0/+1
|
* Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_samAlexander Bokovoy2012-07-181-1/+4
| | | | | | | With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master the function sid_check_is_domain() was renamed to sid_check_is_our_sam(). https://fedorahosted.org/freeipa/ticket/2929
* Print ipa-ldap-updater errors during RPM upgradeMartin Kosek2012-07-131-1/+1
| | | | | | | | | | | | | | | | | ipa-ldap-updater does a lot of essential LDAP changes and if it fails, user may be surprised after the upgrade why things does not work. Modify ipa-ldap-updater to print ERROR logging messages by default and modify RPM upgrade scriptlet to show these errors to user. Console error messages are now formated in a more user-friendly way. Information message stating that IPA is not configured and i.e. there is nothing to be updated is not printer to stderr so that it does not pop up for every freeipa-server package update when IPA is not configured. https://fedorahosted.org/freeipa/ticket/2892
* Fix compatibility with Fedora 18.Rob Crittenden2012-07-021-0/+13
| | | | | | | | We need a Requires on openssl, the mod_rewrite syntax has changed so we can dump some unused configuration and we need a newer version of mod_auth_kerb to pick up the new location of delegated ccache. https://fedorahosted.org/freeipa/ticket/2839
* Add range check preop pluginSumit Bose2012-06-291-0/+2
| | | | | | | To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. https://fedorahosted.org/freeipa/ticket/2185
* Add missing libsss_idmap Requires on freeipa-server-trust-adMartin Kosek2012-06-281-0/+1
|
* Add external domain extop DS pluginSumit Bose2012-06-281-0/+7
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add sidgen postop and taskSumit Bose2012-06-281-0/+4
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
* Configure automount using autofs or sssd.Rob Crittenden2012-06-251-0/+10
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* Add logging to ipa-upgradeconfigRob Crittenden2012-06-211-1/+1
| | | | | | | | | Log to the same file as ipa-ldap-updater --upgrade, /var/log/ipaupgrade.log Will output basic stauts information if executed from the command-line. https://fedorahosted.org/freeipa/ticket/2696
* Separate reset password pagePetr Vobornik2012-06-211-0/+4
| | | | | | This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page. https://fedorahosted.org/freeipa/ticket/2755
* Case sensitive renaming of objectsOndrej Hamada2012-06-201-1/+9
| | | | | | | | When renaming object its case sensitivity is obeyed. This was DS bug. Unit tests were corrected and minimal DS version was updated in spec file. https://fedorahosted.org/freeipa/ticket/2620
* Store session cookie in ccache for cli usersRob Crittenden2012-06-141-0/+1
| | | | | | | | | Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
* Move AD trust support code to freeipa-server-trust-ad subpackageAlexander Bokovoy2012-06-131-5/+14
| | | | | | | | | | | DCERPC code in AD trusts implementation depends on Samba 4 Python bindings. Make this dependency optional for main freeipa-server package by moving the dependency to freeipa-server-trust-ad subpackage. Main interface to AD trusts (ipalib/plugins/trust.py) will still stay, as well as LDIF files and updates as they are not causing real dependency. https://fedorahosted.org/freeipa/ticket/2821
* Enable persistent search by defaultMartin Kosek2012-06-101-1/+3
| | | | | | | | | | | From IPA version 3.0, the persistent search is a preferred mechanism to for DNS zone list management. It will be also a requirement for several bind-dyndb-ldap features, like SOA serial automatic updates or DNSSEC. Make this mechanism default in ipa-server-install and ipa-dns-istall. https://fedorahosted.org/freeipa/ticket/2524
* Add sysupgrade state fileMartin Kosek2012-06-101-0/+5
| | | | | | | | | | | | | When IPA package is being updated, some of the configuration files are also updated. Sometimes it may be useful to store upgrade meta information for next package upgrades. For example an information that some config file was already updated and we don't want to update it again if user purposedly reverted the change. This patch adds a new StateFile in /var/lib/ipa/sysupgrade which is capable of holding this information. New sysupgrade.py module was created to provide simple API to access the upgrade state information.
* Add samba4-python to BuildRequiresPetr Viktorin2012-06-071-1/+2
|
* Add python-crypto to build requires for AD server-side codeAlexander Bokovoy2012-06-071-0/+4
|
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-071-1/+20
|
* Replace DNS client based on acutil with python-dnsMartin Kosek2012-05-241-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
* Configure certmonger to execute restart scripts on renewal.Rob Crittenden2012-04-101-2/+9
| | | | | | | | certmonger now has the ability to execute a script when it renews a certificate. This can be used to automatically restart servers so the certificate doesn't expire in the running server. https://fedorahosted.org/freeipa/ticket/2050
* Return consistent value when hostcat and usercat is all.Rob Crittenden2012-04-081-1/+4
| | | | | | | | | | We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192
* Add requires on python-krbV to client subpackageRob Crittenden2012-03-281-0/+4
| | | | | | This is needed since ipa-client-install initializes the ipalib api. https://fedorahosted.org/freeipa/ticket/2577
* Replace broken i18n shell test with Python testJohn Dennis2012-03-261-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We had been using shell scripts and sed to test our translations. But trying to edit pot and po files with sed is nearly impossible because the file format can vary significantly and the sed editing was failing and gettext tools were complaining about our test strategy. We had been using a Python script (test_i18n.py) to perform the actual test after using shell, sed, and gettext tools to create the files. There is a Python library (polib) which can read/write/edit pot/po/mo files (used internally by Transifex, our translation portal). The strategy now is to do everything in Python (in test_i18n.py). This is easier, more robust and allows us to do more things. * add python-polib to BuildRequires * Remove the logic for creating the test lang from Makefile.in and replace it with calls to test_i18n.py * add argument parsing, usage, configuration parameters, etc. to test_i18n.py to make it easier to use and configurable. * add function to generate a test po and mo file. It also writes the files and creates the test directory structure. * Took the existing validate code and refactored it into validation function. It used to just pick one string and test it, now it iterates over all strings and all plural forms. * Validate anonymous Python format substitutions in pot file * added support for plural forms. * Add pot po file validation for variable substitution * In install/po subdir you can now do: $ make test $ make validate-pot $ make validate-po * The options for running test_i18n.py are: $ ./test_i18n.py --help Usage: test_i18n.py --test-gettext test_i18n.py --create-test test_i18n.py --validate-pot [pot_file1, ...] test_i18n.py --validate-po po_file1 [po_file2, ...] Options: -h, --help show this help message and exit -s, --show-strings show the offending string when an error is detected --pedantic be aggressive when validating -v, --verbose be informative --traceback print the traceback when an exception occurs Operational Mode: You must select one these modes to run in -g, --test-gettext create the test translation file(s) and exercise them -c, --create-test create the test translation file(s) -P, --validate-pot validate pot file(s) -p, --validate-po validate po file(s) Run Time Parameters: These may be used to modify the run time defaults --test-lang=TEST_LANG test po file uses this as it's basename (default=test) --lang=LANG lang used for locale, MUST be a valid lang (default=xh_ZA) --domain=DOMAIN translation domain used during test (default=ipa) --locale=LOCALE locale used during test (default=test_locale) --pot-file=POT_FILE default pot file, used when validating pot file or generating test po and mo files (default=ipa.pot) https://fedorahosted.org/freeipa/ticket/2044
* Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issueRob Crittenden2012-03-261-1/+4
| | | | | | | The IPA upgrade process was starting before 389-ds had upgraded the database which caused corruption. https://fedorahosted.org/freeipa/ticket/2541
* Add missing BuildRequiresPetr Viktorin2012-03-261-0/+5
| | | | | | | | Since our build process runs pylint, we need all Python dependencies installed at RPM creation time. This adds python-lxml and python-pyasn1 to BuildRequires. https://fedorahosted.org/freeipa/ticket/2538
* No longer shell escape the DM password when calling pkisilent.Rob Crittenden2012-03-211-13/+5
| | | | | | | | | pkisilent was modified to handle escaping characters itself in BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388 This removes the workaround from ticket 1636. https://fedorahosted.org/freeipa/ticket/2529
* Allow port numbers for idnsForwardersMartin Kosek2012-03-201-2/+5
| | | | | | | | Let user enter custom ports for zone conditional forwarders or global forwarders in dnsconfig. Ports can be specified in a standard BIND format: IP_ADDRESS [port PORT] https://fedorahosted.org/freeipa/ticket/2462
* Fixed rpm build warning - extension.js listed twicePetr Vobornik2012-03-191-1/+2
| | | | | | | | | | | | | Building the ipa rpms returns this: warning: File listed twice: /usr/share/ipa/ui/extension.js This is because of a glob: %{_usr}/share/ipa/ui/*.js and then more specifically: %config(noreplace) %{_usr}/share/ipa/ui/extension.js https://fedorahosted.org/freeipa/ticket/2253
* Set minimum version of selinux-policy to pick up memcached fixRob Crittenden2012-03-111-1/+9
| | | | | | | This package version adds a boolean, httpd_manage_ipa, that enables the ipa_memcached service to work. https://fedorahosted.org/freeipa/ticket/2433
* Configure SSH features of SSSD in ipa-client-install.Jan Cholasta2012-03-011-1/+7
| | | | | | | | OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0.
* Forms based authentication UIPetr Voborník2012-03-021-1/+5
| | | | | | | | | | | | | | | | | | | | Support for forms based authentication was added to UI. It consist of: 1) new login page Page url is [ipa server]/ipa/ui/login.html Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown. 2) new enhanced error dialog - authorization_dialog. This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires. It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button. login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css. https://fedorahosted.org/freeipa/ticket/2450
* Added logout buttonPetr Voborník2012-02-281-0/+4
| | | | | | | | | | Logout button was added to Web UI. Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html. logout.html is a simple page with "You have been logged out" text and a link to return back to main page. https://fedorahosted.org/freeipa/ticket/2363
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Add Requires to ipa-client on oddjob-mkhomedirRob Crittenden2012-02-271-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2337
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-241-1/+4
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtagRob Crittenden2012-02-221-0/+7
| | | | | | | | | | | | We had this in v1 but removed it with v2 because we no longer used TurboGears for the UI. Because we are now proxying requests to dogtag we need to re-add this so that mod_ssl doesn't interfere with our communication. mod_ssl always blindly registers itself as the SSL provider for mod_proxy. mod_nss will only register itself if mod_ssl hasn't already done so. https://fedorahosted.org/freeipa/ticket/2177
* Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema ↵Rob Crittenden2012-02-151-1/+5
| | | | | | replication. https://fedorahosted.org/freeipa/ticket/2118
* Require krb5 1.10Simo Sorce2012-02-161-2/+2
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-7/+6
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-151-0/+13
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341