summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
* Update qrcode support for newer python-qrcodeNathaniel McCallum2014-09-111-2/+2
| | | | | | | | | This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix hardcoded lib dir in freeipa.specGabe2014-09-091-3/+3
| | | | | | | | - Migrate hardcoded tmpfiles.d paths to %{_tmpfilesdir} macro in spec file https://fedorahosted.org/freeipa/ticket/4528 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use autobind when updating CA people entries during certificate renewalJan Cholasta2014-09-091-1/+1
| | | | | | | | | Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump selinux-policy in the spec file. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-1/+1
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* freeipa.spec.in: Add python-backports-ssl_match_hostname to BuildRequiresPetr Viktorin2014-09-021-0/+1
| | | | | | | | | | This patch adds an explicit build dependency to python-backports-ssl_match_hostname. Without it, the build-time lint would fail. https://fedorahosted.org/freeipa/ticket/4515 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* CLIENT: Explicitly require python-backports-ssl_match_hostnameJakub Hrozek2014-09-021-0/+1
| | | | | | | | | | | | | | Without python-backports-ssl_match_hostname installed, an ipa-client installation could have failed with: from backports.ssl_match_hostname import match_hostname ImportError: No module named ssl_match_hostname This patch adds an explicit dependency to python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/4515 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add man page for ipa-kra-installAde Lee2014-08-261-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4504 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Change BuildRequires for JavaStephen Gallagher2014-08-201-1/+1
| | | | | | | | | Requiring a specific version of Java leads to breakages, like the one happening on nightly builds in Fedora Rawhide right now. We should use the more generic 'java' BuildRequires instead of the versioned one. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add client certificate update tool ipa-certupdate.Jan Cholasta2014-07-301-0/+2
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add CA certificate management tool ipa-cacert-manage.Jan Cholasta2014-07-301-2/+4
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow hashed passwords in DSMartin Kosek2014-07-251-2/+2
| | | | | | | | | Without nsslapd-allow-hashed-passwords being turned on, user password migration fails. https://fedorahosted.org/freeipa/ticket/4450 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Do not require dogtag-pki-server-themeMartin Kosek2014-07-241-1/+0
| | | | | | | | | Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update freeipa-server krb5-server dependency to 1.11.5-5Nathaniel McCallum2014-07-221-1/+1
| | | | | | | | Previous versions of libkrb5 can't handle expired passwords inside the FAST tunnel. This breaks the password change UI in FreeIPA. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Prepare spec for 4.0 releaseMartin Kosek2014-07-041-48/+4
| | | | | | | | | | | | - Bump 389-ds-base requires to fix the deref call with new ACIs: https://fedorahosted.org/freeipa/ticket/4389 - Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability - Bump selinux-policy to fix the CRL retrieval: https://fedorahosted.org/freeipa/ticket/4369 - Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned to be released on these platforms. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* test_ipaserver: Add OTP token test data to ipatests packagePetr Viktorin2014-07-041-0/+1
| | | | | | The missing files caused test failures when running tests out of tree. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove python-cherrypy BuildRequiresMartin Kosek2014-07-011-1/+0
| | | | | As FreeIPA Foreman Smartproxy was moved to separate repo, python-cherrypy is no longer required as a build dependency.
* Remove IPA Foreman Smart ProxyRob Crittenden2014-07-011-25/+0
| | | | | | | The code has been moved to its own, separate repository at git://git.fedorahosted.org/git/freeipa-foreman-smartproxy.git Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: add sync_otp.htmlPetr Vobornik2014-06-301-0/+1
| | | | | | | | | standalone page for OTP token synchronization. It reuses SyncOTPScreen widget instead of reimplementing the logic as in other standalone pages. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: layer for standalone pages which use WebUI frameworkPetr Vobornik2014-06-301-0/+1
| | | | | | | | | | Current compiled Web UI layer (app.js) contains every FreeIPA plugin and not just the UI framework. It's not possible to start just a simple facet. This commit creates a basis for a layer (core.js) which contains only framework code and not entity related code. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Add python-yubico to BuildRequiresMartin Kosek2014-06-271-0/+1
| | | | | python-yubico needs to be on a machine to be able to build FreeIPA. Without it, even ./makeapi and ./makeaci fails.
* Add the otptoken-add-yubikey commandNathaniel McCallum2014-06-261-0/+1
| | | | | | | | This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipaplatform: Fix build warningsTomas Babej2014-06-251-5/+1
| | | | | | | | | | The newly created ipaplatform subdirectories base and fedora were mentioned multiple times in the specfile, which produced build warnings. Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add missing ipa-otptoken-import.1.gz to spec fileAlexander Bokovoy2014-06-251-0/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix packaging issue with doubly specified directoriesAlexander Bokovoy2014-06-251-1/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Implement OTP token importingNathaniel McCallum2014-06-251-0/+2
| | | | | | | | | | | | | | | | | | | | This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix ipa.service restartMartin Basti2014-06-251-1/+4
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support requests with SAN in cert-request.Jan Cholasta2014-06-241-1/+1
| | | | | | | | | | For each SAN in a request there must be a matching service entry writable by the requestor. Users can request certificates with SAN only if they have "Request Certificate With SubjectAltName" permission. https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Change makefiles to accomodate for new platform packageTomas Babej2014-06-161-36/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Python-kerberos update in freeipa.spec.inMartin Basti2014-06-111-2/+1
| | | | | | | Remove duplicated entry in BuildRequires Minimal version 1.1-14 is required for ipapython Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* webui: activity indicatorsPetr Vobornik2014-06-101-1/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/4177 https://fedorahosted.org/freeipa/ticket/4255 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: remove remnants of jquery-uiPetr Vobornik2014-06-101-4/+0
| | | | Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: remove login.htmlPetr Vobornik2014-06-101-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4281 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: remove logout.htmlPetr Vobornik2014-06-101-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4281 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* ipalib.version: Add VENDOR_VERSIONPetr Viktorin2014-05-271-2/+6
| | | | | | | | | This will allow us to make vendors' lives easier by embedding a vendor tag to installation logs. Part of the work for: https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Increase Java stack size for Web UI build on aarch64Petr Vobornik2014-05-261-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Clean up Smartproxy support, drop unused codeRob Crittenden2014-05-131-14/+2
| | | | | | | | | Drop the logrotate file because Apache manages the logs Drop the systemd configuration because we run in Apache Import json_encode_binary from ipalib Fix Requires Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Implement an IPA Foreman smartproxy serverRob Crittenden2014-04-301-1/+42
| | | | | | | | | | | | | | | | | | This currently server supports only host and hostgroup commands for retrieving, adding and deleting entries. The incoming requests are completely unauthenticated and by default requests must be local. Utilize GSS-Proxy to manage the TGT. Configuration information is in the ipa-smartproxy man page. Design: http://www.freeipa.org/page/V3/Smart_Proxy https://fedorahosted.org/freeipa/ticket/4128 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: login screen widgetPetr Vobornik2014-04-151-0/+1
| | | | | | | | | | | | | | | | | | Reimplementation of unauthorized dialog into separate widget. It uses RCUE design. New features compared to unauthorized dialog: - reflects auth methods from `auth` module - validation summary - differentiates Kerberos auth failure with session expiration - Caps Lock warning - form based method doesn't allow password only submission https://fedorahosted.org/freeipa/ticket/4017 https://fedorahosted.org/freeipa/ticket/3903 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* freeipa.spec.in: update dependencies to 389-ds and selinux-policyAlexander Bokovoy2014-04-041-3/+3
| | | | | | | | | | | | | 389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the ordering of the main plugin. We need it to make OTP working over compat tree. selinux-polic 3.12.1-135 fixes issues which prevented httpd to work with kernel keyring-based credentials caches. This change is Fedora 20+. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Add requires for pki-core-10.1.1-1.fc20Martin Kosek2014-03-281-1/+1
| | | | | | Fixes PKI installation errors on Fedora 20. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add missing dependencies to freeipa-python packageMartin Kosek2014-03-261-1/+2
| | | | | | | | | python-pyasn1 and python-qrcode were imported by ipalib but not required by python subpackage. https://fedorahosted.org/freeipa/ticket/4275 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove dogtag-ipa-retrieve-agent-submit.Jan Cholasta2014-03-251-1/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add new certmonger CA helper dogtag-ipa-ca-renew-agent.Jan Cholasta2014-03-251-0/+1
| | | | | | The helper will be used to handle CA-related certificate renewal requests. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API to configure certmonger in CA install.Jan Cholasta2014-03-251-1/+1
| | | | | | Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add missing dependencyNalin Dahyabhai2014-03-141-0/+1
| | | | | | | We use Java classes which are bundled with rhino when uglifying Javascript sources at build-time, so we need rhino at build-time. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-211-0/+2
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update ACIs to permit users to add/delete their own tokensNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4087 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-111-1/+1
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-1/+0
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
generated by cgit (git 2.34.1) at 2024-05-12 07:18:04 +0000