summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* copy_schema_to_ca: Fallback to old import location for ipaplatform.servicesPetr Viktorin2014-11-251-1/+5
| | | | | | | | | | This file is copied to older servers that might not have the ipaplatform refactoring. Import from the old location if the new one is not available. https://fedorahosted.org/freeipa/ticket/4763 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: normalize idview tab labelsPetr Vobornik2014-11-241-3/+3
| | | | | | | | ID View tab labels are no longer redundant. https://fedorahosted.org/freeipa/ticket/4650 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: use domain name instead of domain SID in idrange adder dialogPetr Vobornik2014-11-241-9/+7
| | | | | | | | It's more user friendly. Almost nobody remembers SIDs. https://fedorahosted.org/freeipa/ticket/4661 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: fix potential XSS vulnerabilitiesPetr Vobornik2014-11-205-10/+13
| | | | | | | | | | | Escape user defined text to prevent XSS attacks. Extra precaution was taken to escape also parts which are unlikely to contain user-defined text. fixes CVE-2014-7850 https://fedorahosted.org/freeipa/ticket/4742 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Show warning instead of error if CA did not startMartin Basti2014-11-201-0/+4
| | | | | | | | This is just workaround, checking if CA is working raises false positive exception during upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix wrong expiration date on renewed IPA CA certificatesJan Cholasta2014-11-191-0/+2
| | | | | | | | | The expiration date was always set to the expiration date of the original certificate. https://fedorahosted.org/freeipa/ticket/4717 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-181-0/+14
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add help string on how to configure multiple DNS forwards for various cli toolsThorsten Scherf2014-11-143-3/+3
| | | | | | | | | | | | | | The man pages for various FreeIPA setup tools are more descriptive on how to configure multiple DNS forwarders than the corresponding cli help. This patch makes the cli help more verbose now for the following tools: * ipa-dns-install * ipa-replica-install * ipa-server-install https://fedorahosted.org/freeipa/ticket/4465 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade: fix trusts objectclass violationiMartin Basti2014-11-133-6/+9
| | | | | | | | Execute updates in proper ordering. Curently ldap-updater implementation doesnt allow better fix. Ticket: https://fedorahosted.org/freeipa/ticket/4680 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix upgrade referint pluginMartin Basti2014-11-131-12/+1
| | | | | | | | Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 Reviewed-By: David Kupka <dkupka@redhat.com>
* Search using proper scope when connecting CA instancesRob Crittenden2014-11-131-1/+1
| | | | | | | | | | The wrong search scope was being used when trying to determine if a given master had a CA installed when trying to create a new connection. https://fedorahosted.org/freeipa/ticket/4704 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix: DNS installer adds invalid zonemgr emailMartin Basti2014-11-131-1/+1
| | | | | | | | Installer adds zonemgr as relative (and invalid) address. This fix force installer to use absolute email. Ticket: https://fedorahosted.org/freeipa/ticket/4707 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: prohibit setting rid base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-17/+60
| | | | | | | | | | | | | | Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-server-install Directory Manager help incorrectGabe2014-11-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4694 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Stop dirsrv last in ipactl stop.David Kupka2014-11-061-6/+6
| | | | | | | | Other services may depend on directory server. https://fedorahosted.org/freeipa/ticket/4632 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Deadlock in schema compat plugin (between automember_update_membership task ↵Thierry bordaz (tbordaz)2014-11-061-10/+20
| | | | | | | | | | | | | | | and dse update) Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks. Schema plugin needs to scope the $SUFFIX and also any updates to its configuration. This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees that would be too long for cn=config (tasks, mapping tree, replication, snmp..) https://fedorahosted.org/freeipa/ticket/4635 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manageJan Cholasta2014-11-051-23/+17
| | | | | | | | | This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fixed KRA backend.Endi S. Dewata2014-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-042-16/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdateJan Cholasta2014-10-301-38/+49
| | | | | | | | | If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
* Handle profile changes in dogtag-ipa-ca-renew-agentJan Cholasta2014-10-291-7/+80
| | | | | | | | | | | | | | | | | | | To update the CA certificate in the Dogtag NSS database, the "ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one. When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request. Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed. https://fedorahosted.org/freeipa/ticket/4627 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not check if port 8443 is available in step 2 of external CA installJan Cholasta2014-10-222-5/+7
| | | | | | | | | The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: upgradingMartin Basti2014-10-211-0/+67
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: uninstallationMartin Basti2014-10-212-0/+37
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: installationMartin Basti2014-10-213-9/+69
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-214-3/+39
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: opendnssec servicesMartin Basti2014-10-213-0/+198
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-215-1/+37
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: schemaMartin Basti2014-10-214-4/+61
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: update combobox input on list clickPetr Vobornik2014-10-211-3/+7
| | | | | | | | Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated. https://fedorahosted.org/freeipa/ticket/4655 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: do not show closed dialogPetr Vobornik2014-10-211-0/+18
| | | | | | | | | | | | | | Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed. New dialog's property `opened` handles whether dialog is intended to be opened. How to test: Add new host with IP address outside of managed reverse zones to get error 4304. https://fedorahosted.org/freeipa/ticket/4656 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Change ipaOverrideTarget OID to avoid conflict with DNSSEC featureAlexander Bokovoy2014-10-211-1/+1
|
* Remove ipaContainer, ipaOrderedContainer objectclassMartin Basti2014-10-202-74/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4646 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-203-0/+20
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: do not offer ipa users to Default Trust ViewPetr Vobornik2014-10-204-4/+61
| | | | | | https://fedorahosted.org/freeipa/ticket/4616 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: hide (un)apply buttons for Default Trust ViewPetr Vobornik2014-10-201-1/+12
| | | | Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: hide applied to hosts tab for Default Trust ViewPetr Vobornik2014-10-202-2/+29
| | | | | | | | because applying Default Trust view on hosts is not allowed https://fedorahosted.org/freeipa/ticket/4615 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: change order of idview's facet groupsPetr Vobornik2014-10-201-4/+4
| | | | | | Applied to hosts facet should not be default because, e.g., for Default Trust View it shouldn't be even visible(o use). Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: make Evented a part of base IPA.objectPetr Vobornik2014-10-207-22/+15
| | | | | | | 1. All framework objects to use event interface 2. Framework objects can be part of specification objects but they are not deep-cloned as the rest of specification objects - usually it would cause infinite loop. This make easier to add context as a $pre-op object without a need for $pre-op function. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: allow --force in dnszone-mod and dnsrecord-addPetr Vobornik2014-10-202-5/+68
| | | | | | | | | | Allow to use --force when changing authoritative nameserver address in DNS zone. Same for dnsrecord-add for NS record. https://fedorahosted.org/freeipa/ticket/4573 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Configure IPA OTP Last Token plugin on upgradeNathaniel McCallum2014-10-201-0/+15
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: management of keytab permissionsPetr Vobornik2014-10-204-3/+185
| | | | | | https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Create ipa-otp-counter 389DS pluginNathaniel McCallum2014-10-201-0/+15
| | | | | | | | | | | | | | | This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. Because this plugin also ensures internal operations behave properly, this also gives ipa-pwd-extop the appropriate behavior for OTP authentication. https://fedorahosted.org/freeipa/ticket/4493 https://fedorahosted.org/freeipa/ticket/4494 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Display token type when viewing tokenNathaniel McCallum2014-10-201-0/+1
| | | | | | | | | When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: add new iduseroverride fieldsPetr Vobornik2014-10-171-1/+12
| | | | | | | | - add gecos, gidnumber, loginshell, sshkeys fields https://fedorahosted.org/freeipa/ticket/4617 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: add link to OTP token appPetr Vobornik2014-10-172-1/+10
| | | | | | | | | - display info message which points user to FreeOTP project page - the link or the text can be easily changed by a plugin if needed https://fedorahosted.org/freeipa/ticket/4469 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-174-15/+27
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not fix trust flags in the DS NSS DB in ipa-upgradeconfigJan Cholasta2014-10-171-6/+5
| | | | | | | | | It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as a source in the upload_cacrt update plugin. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfigJan Cholasta2014-10-171-1/+5
| | | | | | | | This fixes upgrade from CA-less to CA-full after IPA upgrade. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove changetype attribute from update pluginMartin Kosek2014-10-171-1/+0
| | | | The attribute addition had no effect, but it should not be there.
generated by cgit (git 2.34.1) at 2024-09-23 04:30:49 +0000