summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
* Set bind and bind-dyndb-ldap min nvrMartin Kosek2011-09-091-0/+9
| | | | | | | | This is a soft dependency, min nvr version will only be required when bind/bind-dyndb-ldap are installed. https://fedorahosted.org/freeipa/ticket/1121 https://fedorahosted.org/freeipa/ticket/1573
* Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605Rob Crittenden2011-08-301-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1576
* enable proxy for dogtagAdam Young2011-08-291-0/+3
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505Rob Crittenden2011-08-281-3/+6
| | | | https://fedorahosted.org/freeipa/ticket/1686
* daemons: Remove ipa_kpasswdSimo Sorce2011-08-261-9/+6
| | | | | | Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
* ipa-kdb: Initial plugin skeletonSimo Sorce2011-08-261-0/+2
|
* Add subscription-manager dependency for RHEL.Jan Cholasta2011-08-231-0/+6
| | | | ticket 1664
* Update pki-ca versionMartin Kosek2011-08-121-2/+3
| | | | | | | Bump minimal pki-ca version in spec file to get fix for ipa cert-request command. https://fedorahosted.org/freeipa/ticket/1578
* Update 389-ds-base versionMartin Kosek2011-08-111-2/+6
| | | | | | | | | Bump minimal 389-ds-base version in spec file to get in recent Directory Server bug fixes. https://fedorahosted.org/freeipa/ticket/1513 https://fedorahosted.org/freeipa/ticket/1525 https://fedorahosted.org/freeipa/ticket/1552
* Fix client enrollmentMartin Kosek2011-08-111-2/+27
| | | | | | | | Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client enrollment. The unconditional GSSAPI was previously dropped from curl because of CVE-2011-2192. https://fedorahosted.org/freeipa/ticket/1452
* Fixed missing icons.Endi S. Dewata2011-08-021-0/+4
| | | | | | | The Makefile.am and the spec file have been fixed to include all icons in the install/ui folder. Ticket #1559
* Fix date order in changelog.Rob Crittenden2011-07-281-1/+1
|
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profileRob Crittenden2011-07-291-2/+6
| | | | | | | The caIPAserviceCert.cfg was updated to set the client cert flag on server certs we issue. https://fedorahosted.org/freeipa/ticket/1434
* Add an arch-specific Requires on cyrus-sasl-gssapiRob Crittenden2011-07-241-2/+5
| | | | | | | | If you had a 64-bit system and installed a 32-bit version of IPA then ipa-getkeytab probably wouldn't work because yum wouldn't know to pull in the 32-bit version of cyrus-sasl-gssapi. https://fedorahosted.org/freeipa/ticket/1499
* Removed custom layouts using HTML templates.Endi S. Dewata2011-07-211-3/+0
| | | | | | | The code for supporting custom layouts using HTML templates has been removed. If it's needed again in the future the code can be restored. Ticket #1501
* Update minimum required version of python-netaddr.Jan Cholasta2011-07-171-0/+8
| | | | ticket 1288
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* HBAC deny warningAdam Young2011-07-061-0/+7
| | | | | | | | shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red. Only shows up fro administrators, not for self service users. https://fedorahosted.org/freeipa/ticket/1421
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-231-0/+5
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Multi-process build problemsMartin Kosek2011-06-191-2/+2
| | | | | | | | Fix a problem when a target missed a version-update requirement. This caused build problems, especially in a parallel build environment. https://fedorahosted.org/freeipa/ticket/1215
* Fixed build break.Endi S. Dewata2011-06-151-1/+4
| | | | | The Makefile.am freeipa.spec.in have been updated according to the recent file changes.
* Connection check program for replica installationMartin Kosek2011-06-081-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-0/+1
| | | | ticket 1212
* Update min nvr for selinux-policy and pki-ca for F-15+Rob Crittenden2011-05-131-2/+15
| | | | | | Done with conditionals so still installable on F-14. ticket 1200
* Update spec with missing BuildRequires for pylint checkMartin Kosek2011-05-051-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/1203
* Bump version to 2.0.90 to distinguish between 2.0.xRob Crittenden2011-05-031-0/+3
|
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-051-3/+6
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-211-1/+7
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Add man page for the IPA configuration fileRob Crittenden2011-02-231-0/+1
| | | | ticket 969
* Move some BuildRequires so building with ONLY_CLIENT works.Rob Crittenden2011-02-221-14/+14
| | | | ticket 978
* Make nsslib IPv6 awareJakub Hrozek2011-02-211-1/+4
|
* Try to register DNS name through a DNS Update on install.Simo Sorce2011-02-171-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/935
* Move tools that are really only applicable to be run on the serverRob Crittenden2011-02-141-8/+8
| | | | | | | This moves a bunch of tools that only make sense to run on the actual server from the admintools subpackage to the server subpackage. ticket 947
* Add pyOpenSSL as a BuildRequiresRob Crittenden2011-02-111-0/+1
|
* Set minimum version of sssd to 1.5.1Rob Crittenden2011-02-101-1/+4
| | | | ticket 926
* Remove unnecessary BuildRequires from the specfile.Jan Cholasta2011-02-101-2/+0
|
* Update minimum version of 389-ds-base, mod_nss and selinux-policy.Rob Crittenden2011-02-031-4/+9
| | | | | | * Set min version of 389-ds-base to 1.2.8 * Set min version of mod_nss 1.0.8-10 * Set min version of selinux-policy to 3.9.7-27
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-0/+5
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Apply changes discovered in Fedora package review process (#672986)Rob Crittenden2011-01-271-16/+19
| | | | Ticket 804
* Add requires for the pkiSimo Sorce2011-01-271-0/+2
| | | | First part of: https://fedorahosted.org/freeipa/ticket/855
* error handling styleAdam Young2011-01-251-1/+9
| | | | modifying the directories so they find the assets in the right locations
* Rename package to freeipaJan Zeleny2011-01-251-0/+784
https://fedorahosted.org/freeipa/ticket/581