| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/640
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
|
|
|
| |
ticket 502
|
|
|
|
|
|
| |
Also check for url-encoded passwords before logging them.
ticket 324
|
|
|
|
| |
ticket 599
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/543
|
| |
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
|
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
|
|
|
|
|
|
|
|
|
|
| |
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
|
|
|
|
|
| |
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
|
|
|
|
|
|
|
| |
Prompt for creation of reverse zone, with the default for unattended
installations being False.
https://fedorahosted.org/freeipa/ticket/418
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
|
|
|
|
|
|
| |
This will allow clients to use entryusn values to track what changed in the
directory regardles of replication delays.
Fixes: https://fedorahosted.org/freeipa/ticket/526
|
|
|
|
|
|
|
|
|
|
| |
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
|
|
|
|
|
| |
Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH
sort it out.
|
|
|
|
|
|
|
|
| |
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
|
|
|
|
| |
Only if more than one CPU is available
Only if supported by the installed krb5kdc
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/440
|
|
|
|
|
| |
altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
|
|
|
|
|
|
| |
leave it disabled for now
we can change this default once we will have some restriction on what services
this principal can get tickets for.
|
|
|
|
|
| |
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
|
|
|
|
| |
Also use the realm name as nickname for the CA certificate
|
|
|
|
|
|
|
|
| |
Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over
LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around
the issue by setting both into the environment.
https://fedorahosted.org/freeipa/ticket/467
|
|
|
|
|
|
| |
This meant that the compat sudo schema was not available.
ticket 439
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
|
|
|
|
| |
merge in remove uuid
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Apparently on some machines if this is not done SSL validation will fail.
Fixes bug #394
|
|
|
|
| |
ticket 350
|
|
|
|
|
|
|
|
|
|
|
| |
We check the resolver against the resolver and DNS against DNS but not
the resolver against DNS so if something is wrong in /etc/hosts we don't
catch it and nasty connection messages occur.
Also fix a problem where a bogus error message was being displayed because
we were trying to close an unconnected LDAP connection.
ticket 327
|
|
|
|
| |
Keep instance specific data in /var/lib/dirsrv
|
|
|
|
|
| |
Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
|
|
|
|
|
|
|
| |
ipa-dns-manage could fail in very odd ways depending on the current
configuration of the server. Handle things a bit better.
ticket 210
|
|
|
|
|
|
|
| |
Give a better heads-up on how long the installation will take. Particularly
important when configuring dogtag.
ticket 139
|
|
|
|
| |
ticket 243
|
|
|
|
|
|
| |
Also fix some imports for sha. We have a compat module for it, use it.
ticket 181
|
|
|
|
|
|
|
| |
This has been annoying for developers who switch back and forth. It will
still break v1 but at least going from v1 to v2 will work seemlessly.
ticket 240
|
|
|
|
|
|
|
| |
The problem here was two-fold: the certs manager was raising an
error it didn't know about and ipa-replica-prepare wasn't catching it.
ticket 249
|
|
|
|
| |
ticket 125
|
|
|
|
|
|
|
|
| |
We used to check for these one at a time so you'd run it once and find
out you're missing the bind package. Install that and run the installer
again and you'd discover you're missing bind-dyndb-ldap.
ticket 140
|
|
|
|
|
|
|
|
|
|
|
| |
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
|