summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Pull translation files from TransifexPetr Viktorin2012-10-1114-2862/+4444
| | | | | | | Patch generated by: cd install/po make pull-po make update-po
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-104-0/+100
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Configure the initial CA as the CRL generator.Rob Crittenden2012-10-092-2/+12
| | | | | | | | Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-102-0/+14
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* replica-install: Don't copy Firefox config extension files if they're not in ↵Petr Viktorin2012-10-101-2/+6
| | | | | | | | the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux functionPetr Viktorin2012-10-101-8/+0
| | | | This function was never called from anywhere.
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-094-18/+2
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Fix CS replication management.Rob Crittenden2012-10-091-18/+40
| | | | | | | | | | | | | | | | | The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-101-14/+29
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Set renewal time for the CA audit certificate to 720 days.Rob Crittenden2012-10-091-7/+14
| | | | | | | | The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-083-0/+35
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-093-11/+97
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
* Add mime type to httpd ipa.conf for xpi exetensionPetr Vobornik2012-10-091-1/+2
| | | | | | Some configuration doesn't give proper mime type to xpi files. This patch explicitly sets it. https://fedorahosted.org/freeipa/ticket/3094
* Minor fixes for default SMB groupMartin Kosek2012-10-091-1/+1
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-092-0/+9
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* support multi-line error messages in exceptionsAlexander Bokovoy2012-10-092-7/+33
|
* Add new ipaIDobject to DNA plugin configuratonSumit Bose2012-10-042-1/+6
|
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-042-1/+14
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* Removal of delegation-uris instruction from browser configPetr Vobornik2012-10-041-1/+0
| | | | | | Delegation is not needed since support of s4u2proxy mechanism. https://fedorahosted.org/freeipa/ticket/3094
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-0411-47/+541
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-044-1/+8
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extension makefilesPetr Vobornik2012-10-047-0/+100
| | | | | | Makefiles for new FF kerberos authentication extension ihttps://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extensionPetr Vobornik2012-10-046-0/+306
| | | | | | | | | | | | | | | | | | | The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later. How it works: Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'. 'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages. Possible enhancement: * add UI for manual edit * more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page) * introspection of client (read ipa client install config and such) Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046 [3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
* ipa-adtrust-install: remove wrong check for dm_passwordSumit Bose2012-10-041-4/+0
| | | | | | | Additionally this patch removes a comment which makes no sense at this place anymore. Fixes https://fedorahosted.org/freeipa/ticket/3023
* Add --rid-base and --secondary-rid-base to ipa-adtrust-install man pageSumit Bose2012-10-031-0/+10
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3038
* Enhance description of --no-msdcs in man pageSumit Bose2012-10-031-1/+25
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2972
* Add man page paragraph about running ipa-adtrust-install multiple timesSumit Bose2012-10-031-0/+8
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2967
* Index ipakrbprincipalalias and ipaautomountkey attributesMartin Kosek2012-10-012-0/+30
| | | | | | | | | | | | An unindexed search for ipakrbprincipalalias is fired for every ipa command (and other authentication events) which would degrade IPA server performance if not indexed. ipaautomountkey unindexed searches are hit when new key entries are being added. Add both indexes to new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/3020 https://fedorahosted.org/freeipa/ticket/3025
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-261-2/+2
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Check direct/reverse hostname/address resolution in ipa-replica-installPetr Viktorin2012-09-201-19/+141
| | | | | | | | | | | | | Forward and reverse resolution of the newly created replica is already checked via get_host_name (which calls verify_fqdn). Add the same check for the existing master. Additionally, if DNS is installed on the remote host, check forward and reverse resolution of both replicas using that DNS only (ignoring /etc/hosts). These checks give only warnings and, in interactive installs, a "Continue?" prompt. https://fedorahosted.org/freeipa/ticket/2845
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-193-2/+5
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Use default reverse zone consistentlyMartin Kosek2012-09-193-3/+3
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Fix integer validation when boundary value is empty stringPetr Vobornik2012-09-197-3/+171
| | | | | | There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases. https://fedorahosted.org/freeipa/ticket/3066
* Show trust status in add success notificationPetr Vobornik2012-09-173-6/+29
| | | | | | Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-1711-40/+63
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-1710-25/+54
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-185-7/+7
| | | | https://fedorahosted.org/freeipa/ticket/3089
* When deleting a master, try to prevent orphaning other servers.Rob Crittenden2012-09-172-1/+98
| | | | | | | | | | | | | | | | | If you have a replication topology like A <-> B <-> C and you try to delete server B that will leave A and C orphaned. It may also prevent re-installation of a new master on B because the cn=masters entry for it probably still exists on at least one of the other masters. Check on each master that it connects to to ensure that it isn't the last link, and fail if it is. If any of the masters are not up then warn that this could be a bad thing but let the user continue if they want. Add a new option to the del command, --cleanup, which runs the replica_cleanup() routine to completely clean up references to a master. https://fedorahosted.org/freeipa/ticket/2797
* Run the CLEANALLRUV task when deleting a replication agreement.Rob Crittenden2012-09-175-24/+269
| | | | | | | | | | | | This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv list-ruv can be use to list the update vectors the master has configugured clean-ruv can be used to fire off the CLEANRUV task to remove a replication vector. It should be used with caution. https://fedorahosted.org/freeipa/ticket/2303
* Expand Referential Integrity checksMartin Kosek2012-09-165-1/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866
* Amend memberAllowCmd and memberDenyCmd attribute typesMartin Kosek2012-09-162-2/+4
| | | | | | | | | | | Attribute types of attributes designed to hold DN values are not supposed to hold own ORDERING or SUBSTR matching rules (which were even not correct in this case). Update these attributes to only define an EQUALITY rule just like other DN attribute types in IPA. https://fedorahosted.org/freeipa/ticket/2866
* Update the pot file (translation source)Petr Viktorin2012-09-121-1433/+2004
| | | | Generated by running `make update-pot` in install/po
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-134-0/+14
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-132-2/+2
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Prevent opening of multiple dirty dialogs on navigationPetr Vobornik2012-09-121-0/+5
| | | | | | | | Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog. Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet. https://fedorahosted.org/freeipa/ticket/2667
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-064-18/+10
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Fix some restart script issues found with certificate renewal.Rob Crittenden2012-09-062-1/+19
| | | | | | | | | | | | | | The restart_dirsrv script wasn't initializing the api so the startup_timeout wasn't available. The subsystemCert cert-pki-ca definition was missing so we didn't know which certificate to update in CS.cfg. Add some documentation and a pause between restarts for the renew_ca_cert script so that when the CA subsystem certs are renewed they don't all try to restart the CA at the same time. https://fedorahosted.org/freeipa/ticket/3006
* Rename range CLI to idrangeSumit Bose2012-09-0714-44/+44
|
* Add version to replica prepare file, prevent installing to older versionRob Crittenden2012-09-074-6/+15
|
* Update of confirmation of actionsPetr Vobornik2012-09-065-10/+103
| | | | | | | | | | | This patch is changing confirmation of actions according to ticket #3035, see the ticket description. It does following changes: * Confirmation of update action was removed. * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry. * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations. https://fedorahosted.org/freeipa/ticket/3035
generated by cgit (git 2.34.1) at 2024-05-25 15:30:05 +0000