| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
|
|
|
|
|
|
| |
Avoids ipa-replica-manage to throw up errors.
Fixes: https://fedorahosted.org/freeipa/ticket/807
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/820
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
|
|
|
|
|
|
|
|
| |
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
|
|
|
|
|
| |
We were attempting to re-add these entries on the replicas too.
Which were failing because these containers, obviously, already existed there.
|
|
|
|
|
|
|
| |
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/760
|
|
|
|
|
| |
This simplifies or rationalizes some code in order to make it easier to change
it to fix bug #690
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/617
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/543
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
|
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
|
|
|
|
|
|
|
|
|
|
| |
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
|
|
|
|
|
| |
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
|
|
|
|
|
|
|
| |
This will allow clients to use entryusn values to track what changed in the
directory regardles of replication delays.
Fixes: https://fedorahosted.org/freeipa/ticket/526
|
|
|
|
|
|
|
|
|
|
| |
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
|
|
|
|
|
|
|
|
| |
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
|
|
|
| |
Also use the realm name as nickname for the CA certificate
|
|
|
|
|
|
|
|
| |
Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over
LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around
the issue by setting both into the environment.
https://fedorahosted.org/freeipa/ticket/467
|
|
|
|
|
|
| |
This meant that the compat sudo schema was not available.
ticket 439
|
|
|
|
| |
merge in remove uuid
|
| |
|
| |
|
|
|
|
|
| |
Apparently on some machines if this is not done SSL validation will fail.
Fixes bug #394
|
|
|
|
| |
ticket 350
|
|
|
|
|
|
|
|
|
|
|
| |
We check the resolver against the resolver and DNS against DNS but not
the resolver against DNS so if something is wrong in /etc/hosts we don't
catch it and nasty connection messages occur.
Also fix a problem where a bogus error message was being displayed because
we were trying to close an unconnected LDAP connection.
ticket 327
|
|
|
|
| |
Keep instance specific data in /var/lib/dirsrv
|
|
|
|
|
| |
Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
|
|
|
|
|
|
|
| |
Give a better heads-up on how long the installation will take. Particularly
important when configuring dogtag.
ticket 139
|
|
|
|
|
|
| |
Also fix some imports for sha. We have a compat module for it, use it.
ticket 181
|
|
|
|
|
|
|
|
|
|
|
| |
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the user-private group caching code out of the global config and
determine the value the first time it is needed.
Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.
Moved the global get_syntax() into a class method so that a schema
can be passed in.
If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).
ticket 63
|
|
|
|
|
|
|
|
|
| |
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
| |
|
|
|
|
|
|
|
|
| |
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
|
|
|
|
|
|
|
| |
No longer install the policy or key escrow schemas and remove their
OIDs for now.
594149
|
|
|
|
|
|
|
|
|
| |
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
|
|
|
| |
Based on initial patch from Pavel Zuna.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
|
|
|
|
|
|
|
|
| |
If the group exists but the user doesn't then useradd blows up
trying to create the user and group. So test to see if the group
exists and if it does pass along the -g argument to useradd.
Resolves #502960
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|