| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3896
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
|
|
|
|
|
|
|
|
|
|
|
| |
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
|
|
|
|
| |
Part of ticket https://fedorahosted.org/freeipa/ticket/3821
|
|
|
|
|
|
|
|
|
| |
Option --configure-firefox configures firefox to use Kerberos
credentials within IPA domain
Optional option --firefox-dir=DIR allows to user to specify non-standard
path where firefox install directory is placed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
|
|
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
|
|
| |
This file is always updated when client is installed or uninstalled.
https://fedorahosted.org/freeipa/ticket/3995
|
|
|
|
|
|
|
|
| |
In case of a failed enrollment, IPA client rolls back any changes it has made
to the system. In order to have a more debuggable setup, do not roll back these
changes in the case of an IPA server install.
https://fedorahosted.org/freeipa/ticket/3990
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3944
|
|
|
|
|
|
|
|
|
| |
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.
Verify that commands succeed by sending a ping after connecting.
Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.
RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.
https://fedorahosted.org/freeipa/ticket/3931
|
|
|
|
|
|
|
| |
In server mode, the discovery domain should be left unset in all
cases as the DNS discovery is only driven by the AD domains.
https://fedorahosted.org/freeipa/ticket/3947
|
|
|
|
|
|
|
|
| |
Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss
is working properly since admin@REALM check fails in case the domain and the realm
name does not match.
https://fedorahosted.org/freeipa/ticket/3906
|
|
|
|
|
|
|
|
| |
Some of the FileErrors in ipa-client-install were raised incorrectly
(without the 'reason' argument), which resulted in bad error messages
during ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3758
|
|
|
|
|
|
|
| |
Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20),
replace ntpdate calls with ntpd.
https://fedorahosted.org/freeipa/ticket/3797
|
|
|
|
|
|
|
|
|
|
|
| |
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.
Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.
Pylint 1.0 reports undeclared names in __all__ as a warning.
|
|
|
|
|
|
|
| |
Add the --automount-location option to ipa-client-install. If the option is
used, ipa-client-automount is called at the end of ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3740
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int
https://fedorahosted.org/freeipa/ticket/3858
|
|
|
|
|
|
|
|
| |
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3811
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3771
|
|
|
|
|
|
|
| |
IPA uses "ipa" as the "package name" for all translations,
even in the ipa-client package.
https://fedorahosted.org/freeipa/ticket/3695
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3766
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3705
|
|
|
|
|
|
|
| |
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.
https://fedorahosted.org/freeipa/ticket/3739
|
|
|
|
|
|
|
|
|
|
|
| |
Improve handling of command line options related to forced client re-enrollment
in ipa-client-install:
* Make --keytab and --principal options mutually exclusive.
* Warn that using --force-join together with --keytab provides no additional
functionality.
https://fedorahosted.org/freeipa/ticket/3686
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3629
|
|
|
|
|
|
|
|
|
|
| |
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.
Add a Conflicts on older versions.
https://fedorahosted.org/freeipa/ticket/3589
|
|
|
|
|
|
|
| |
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.
https://fedorahosted.org/freeipa/ticket/3571
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should respect already configured options present in
/etc/openldap/ldap.conf when generating our own configuration.
With this patch, we only rewrite URI, BASE and TLS_CACERT options
only if they are not configured. In the case they are, our suggested
configuration is inserted as a comment.
Also adds tab as a delimeter character in /etc/openldap/ldap.conf
https://fedorahosted.org/freeipa/ticket/3582
|
|
|
|
|
|
|
|
|
| |
This patch makes sure that sss is not removed from nsswitch.conf
which causes probles with later uses of sssd. Makes sure that
authconfig with --disablesssd option is not executed during
ipa client uninstall.
https://fedorahosted.org/freeipa/ticket/3577
|
|
|
|
|
|
|
|
| |
When client enrollment fails due to the fact that host entry
already exists on the server, display an message informing the
user about the possibility of using --force-join option.
https://fedorahosted.org/freeipa/ticket/3572
|
|
|
|
|
|
|
|
| |
Make sure /etc/ipa is created and owned by freeipa-python package.
Report correct error to user if /etc/ipa is missing during client installation.
https://fedorahosted.org/freeipa/ticket/3551
|
|
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
| |
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3536
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
|
|
| |
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment
https://fedorahosted.org/freeipa/ticket/3482
|
|
|
|
|
|
|
|
| |
CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
| |
ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.
Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.
https://fedorahosted.org/freeipa/ticket/3519
|
|
|
|
|
|
|
|
|
|
|
|
| |
In client discovery module, we used to run up to three discovery
processes even though we received a fixed list of servers to connect
to. This could result in up to 3 identical "not an IPA server" error
messages when the passed server is not an IPA server.
Error out immediately when we are discovering against a fixed set
of servers.
Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
|
|
|
|
|
|
|
|
|
|
|
|
| |
When multiple servers are passed via --server option, ipadiscovery
module changed its order. Make sure that we preserve it.
Also make sure that user is always warned when a tested server is
not available as then the server will be excluded from the fixed
server list. Log messages were made more informative so that user
knows which server is actually failing to be verified.
https://fedorahosted.org/freeipa/ticket/3418
|
|
|
|
|
|
|
|
|
|
|
| |
Parts of client uninstall logic could be skipped in attended
uninstallation if user agreed to reboot the machine. Particulary,
the uninstall script would not try to remove /etc/ipa/default.conf
and therefore subsequent installation would fail, client being
detected as already configured.
https://fedorahosted.org/freeipa/ticket/3462
https://fedorahosted.org/freeipa/ticket/3463
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.
Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.
These were the last uses of ipautil.convert_ldap_error, remove that.
https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
|