| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.
https://fedorahosted.org/freeipa/ticket/4058
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
| |
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand
https://fedorahosted.org/freeipa/ticket/4988
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a more thorough checking for already installed CAs
during standalone CA installation using ipa-ca-install. The installer now
differentiates between CA that is already installed locally and CA installed
on one or more masters in topology and prints an appropriate error message.
https://fedorahosted.org/freeipa/ticket/4492
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.
This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.
Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
| |
Ticket: https:/fedorahosted.org/freeipa/ticket/5116
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv
instance. Under some circumstances the dirsrv isn't running. The patch
rearranges some upgrade steps and starts DS before enable_kdcproxy().
https://fedorahosted.org/freeipa/ticket/5113
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
| |
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
| |
Enable and start the oddjobd service as part of the
ipa-adtrust-install for the new IPA installations.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
| |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When --ip-address is specified check if relevant DNS zone exists
in IPA managed DNS server, exit with error when not.
https://fedorahosted.org/freeipa/ticket/5014
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin
https://fedorahosted.org/freeipa/ticket/5097
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
User should get the error before he installs missing packages etc.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows to replace or disable DNSSEC key master
Replacing DNSSEC master requires to copy kasp.db file manually by user
ipa-dns-install:
--disable-dnssec-master DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement
--force Skip checks
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
| |
Upgrade contains too many unnecessary info logs.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4943
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4524
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4524
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5059
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where
get_agreement_type does not raise NotFound error if an agreement for host
does not exist. The exception was swallowed by get_replication_agreement.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
| |
After enabling LDAPProfileSubsystem in Dogtag, migrate the
file-based profiles into the LDAP database.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
New schema (for LDAP-based profiles) was introduced in Dogtag, but
Dogtag does not yet have a reliable method for upgrading its schema.
Use FreeIPA's schema update machinery to add the new attributeTypes
and objectClasses defined by Dogtag.
Also update the pki dependencies to 10.2.5, which provides the
schema update file.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
Check if cafile exist first.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
| |
HTTPInstance needs a LDAP connection for KDC Proxy upgrade. The patch
ensures that an admin_conn is available.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
|
|
|
|
| |
installutils.remove_file() ignored broken symlinks. Now it uses
os.path.lexists() to detect and also remove dangling symlinks.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
agreement existence
in other words limit usage of `agreement_dn` method only for manipulation
and search of agreements which are not managed by topology plugin.
For other cases is safer to search for the agreement.
https://fedorahosted.org/freeipa/ticket/5066
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Certmonger should be running (should be started on system boot).
Either user decided to stop it or it crashed. We should just error out and
let user check & fix it.
https://fedorahosted.org/freeipa/ticket/5080
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
| |
'info' is optional component in LDAPError
http://www.python-ldap.org/doc/html/ldap.html#exceptions
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Seem like this slipped in during the refactoring of the install tools.
https://fedorahosted.org/freeipa/ticket/4468
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5064
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
| |
Without this patch, the invalid api.Backend.ldap2 connection
was used to communicate with DS and it raises network error
after DS restart.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.
https://fedorahosted.org/freeipa/ticket/4051
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: David Kupka <dkupka@redhat.com>
|