summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* ipa-adtrust-install: configure host netbios name by defaultAlexander Bokovoy2014-01-201-0/+1
| | | | | | Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
* acl: Remove krbPrincipalExpiration from list of admin's excluded attrsTomas Babej2014-01-141-1/+1
| | | | | | | | Since we're exposing the krbPrincipalExpiration attribute for direct editing in the CLI, remove it from the list of attributes that admin cannot edit by default. Part of: https://fedorahosted.org/freeipa/ticket/3306
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Add new permission schemaPetr Viktorin2013-12-131-0/+9
| | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-091-1/+1
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Add userClass attribute for usersAna Krivokapic2013-11-191-0/+1
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Unify capitalization of attribute names in schema filesPetr Viktorin2013-11-183-19/+19
| | | | | | | | | | | Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly if they use inconsistent capitalization. This patch works around the bug in IPA schema files. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Note: git's --word-diff option is recommended for viewing these changes
* Add formerly update-only schemaPetr Viktorin2013-11-184-1/+42
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* Make schema files conform to new updaterPetr Viktorin2013-11-187-20/+20
| | | | | | | | | | | | | | | | | The new schema updater only compares textual representations of schema elements, as formatted by python-ldap. This works well, but it is too strict for the current schema files in two ways: - For attribute names in MAY and MUST, the correct letter case must be used - AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if they are the same as its supertype's. When these restrictions are not followed, the updater will always overwrite the schema element. This is harmless but it fills up the log unnecessarily. Modify the schema files to conform to these restrictions. Part of the work for https://fedorahosted.org/freeipa/ticket/3454 Note: git's --word-diff option is recommended for viewing these changes
* Do not add kadmin/changepw ACIs on new installsMartin Kosek2013-10-251-1/+0
| | | | | | | | | | | | These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon, now that a standard kadmin is used, ACIs are not needed anymore as kadmin uses the same driver as the KDC. The ACIs is not removed on upgrades to avoid breaking older replicas which may still use FreeIPA version with the ipa_kpasswd daemon. https://fedorahosted.org/freeipa/ticket/3987
* Add ipa-advise plugins for nss-pam-ldapd legacy clientsAna Krivokapic2013-10-185-3/+52
| | | | | | | | | | | Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
* Remove --no-serial-autoincrementMartin Kosek2013-10-111-1/+1
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-102-0/+8
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Add timestamps to named debug logs in /var/named/data/named.runPetr Spacek2013-09-061-0/+1
|
* Fix selected minor issues in the spec file and licenseMartin Kosek2013-08-132-4/+4
| | | | | | | | | | | | This patch fixes: - too long description for server-trust-ad subpackage - adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid overwriting potential user changes - changes permissions on default_encoding_utf8.so to prevent it pollute python subpackage Provides. - wrong address in GPL v2 license preamble in 2 distributed files https://fedorahosted.org/freeipa/ticket/3855
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-2/+0
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-2/+2
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Add ipa-advise plugins for legacy clientsAna Krivokapic2013-08-075-0/+71
| | | | | | | | | | | | | | | | | Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Add Camellia ciphers to allowed list.Rob Crittenden2013-07-181-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/3749
* Fix for small syntax error in OTP schemaNathaniel McCallum2013-07-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3765
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-111-1/+1
| | | | | | This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693
* Add missing equality index for ipaUniqueId.Jan Cholasta2013-07-111-0/+8
| | | | https://fedorahosted.org/freeipa/ticket/3743
* Add missing substring indices for attributes managed by the referint plugin.Jan Cholasta2013-07-111-0/+11
| | | | | | | | The referint plugin does a substring search on these attributes each time an entry is deleted, which causes a noticable slowdown for large directories if the attributes are not indexed. https://fedorahosted.org/freeipa/ticket/3706
* Enable SASL mapping fallback.Jan Cholasta2013-06-272-0/+5
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Remove entitlement supportMartin Kosek2013-06-262-86/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Add ipaRangeType attribute to LDAP SchemaTomas Babej2013-06-102-1/+3
| | | | | | | | | | This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-174-1/+39
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Add ipaUserAuthType and ipaUserAuthTypeClassNathaniel McCallum2013-05-171-0/+2
| | | | | | | | | | This schema addition will be useful for future commits. It allows us to define permitted external authentication methods on both the user and global config. The implementation is generic, but the immediate usage is for otp support. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Fix syntax errors in schema filesPetr Viktorin2013-04-262-2/+2
| | | | | | | | | | | | | | | | - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
* Fix syntax of the dc attributeTypePetr Viktorin2013-04-261-1/+1
| | | | | | | dc syntax is changed from Directory String to IA5 String to conform to RFC 2247. Part of the work for https://fedorahosted.org/freeipa/ticket/3578
* Add userClass attribute for hostsMartin Kosek2013-04-261-1/+1
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-101-1/+1
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-021-2/+2
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Put pid-file to named.confMartin Kosek2013-03-291-0/+1
| | | | | | | | | Fedora 19 has splitted /var/run and /run directories while in Fedora 18 it used to be a symlink. Thus, named may expect its PID file to be in other direct than it really is and fail to start. Add pid-file configuration option to named.conf both for new installations and for upgraded machines.
* Use tkey-gssapi-keytab in named.confMartin Kosek2013-03-141-2/+1
| | | | | | | | | | | Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-132-0/+14
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-112-2/+2
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Remove disabled entries from sudoers compat tree.Jan Cholasta2013-03-061-1/+1
| | | | | | | The removal is triggered by generating an invalid RDN when ipaEnabledFlag of the original entry is FALSE. https://fedorahosted.org/freeipa/ticket/3437
* Fix includedir directive in krb5.conf templateMartin Kosek2013-02-281-1/+1
| | | | | | | We did not have the includedir directory with a trailing slash which made rpm update add a redundant line. https://fedorahosted.org/freeipa/ticket/3132
* Remove ORDERING for IA5 attributeTypesMartin Kosek2013-02-271-3/+3
| | | | | | | | IA5 string syntax does not have a compatible ORDERING matching rule. Simply use default ORDERING for these attributeTypes as we already do in other cases. https://fedorahosted.org/freeipa/ticket/3398
* Add missing v3 schema on upgrades, fix typo in schema.Rob Crittenden2013-02-221-9/+9
| | | | | | | | Add mising ipaExternalMember attribute and ipaExternalGroup objectclass. Replacing mis-spelled ORDERING value on new install and upgrades. https://fedorahosted.org/freeipa/ticket/3398
* Add SID blacklist attributesMartin Kosek2013-02-121-1/+3
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Update anonymous access ACI to protect secret attributes.Rob Crittenden2013-01-231-1/+1
| | | | | | | Update anonymous access ACI so that no users besides Trust Admins users can read AD Trust key attributes (ipaNTTrustAuthOutgoing, ipaNTTrustAuthIncoming). The change is applied both for updated IPA servers and new installations.
* Upload CA cert in the directory on installSimo Sorce2013-01-232-1/+9
| | | | | This will later allow clients to securely download the CA cert by performaing mutual auth using LDAP with GSSAPI
* Add OCSP and CRL URIs to certificatesMartin Kosek2012-12-071-0/+3
| | | | | | | | | | | | | | | | | Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
* Specify includedir in krb5.conf on new installsJakub Hrozek2012-12-061-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Update certmap.conf on IPA upgradesPetr Viktorin2012-11-231-1/+5
| | | | | | | | This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control. The file is overwritten on upgrades. This ensures that the cert for the ipaca user is recognized when ipa-ca-install is run on older masters.
generated by cgit (git 2.34.1) at 2024-06-07 15:31:49 +0000