summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Add get_trusted_domain_object_type methodTomas Babej2015-07-231-0/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dcerpc: Fix UnboundLocalError for ccache_nameTomas Babej2015-07-221-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dcerpc: Expand explanation for WERR_ACCESS_DENIEDTomas Babej2015-07-211-7/+29
| | | | | | | | | | | It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: check if DNS package is installedMartin Basti2015-07-214-37/+7
| | | | | | | | | | | Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Py3: replace tab with spaceMartin Basti2015-07-171-1/+1
| | | | | | python3 does not allow to mix spaces and tabs Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-171-1/+2
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-1/+1
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa-ca-install: print more specific errors when CA is already installedMartin Babinsky2015-07-161-2/+10
| | | | | | | | | | | This patch implements a more thorough checking for already installed CAs during standalone CA installation using ipa-ca-install. The installer now differentiates between CA that is already installed locally and CA installed on one or more masters in topology and prints an appropriate error message. https://fedorahosted.org/freeipa/ticket/4492 Reviewed-By: Martin Basti <mbasti@redhat.com>
* selinux: enable httpd_run_ipa to allow communicating with oddjobd servicesAlexander Bokovoy2015-07-161-0/+1
| | | | | | | | | | | | | A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove tuple unpacking from except clause ipaserver/dcerpc.pyChristian Heimes2015-07-141-6/+12
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix DNS records installation for replicasSimo Sorce2015-07-141-3/+3
| | | | | | | Ticket: https:/fedorahosted.org/freeipa/ticket/5116 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Start dirsrv for kdcproxy upgradeChristian Heimes2015-07-141-16/+19
| | | | | | | | | | The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Revert "Hide topology and domainlevel features"Tomas Babej2015-07-101-2/+1
| | | | | | | | | This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* upgrade: Enable and start oddjobd if adtrust is availableTomas Babej2015-07-081-0/+24
| | | | | | | If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-082-0/+30
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-081-0/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-081-18/+65
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-12/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-081-3/+7
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-084-30/+78
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Raise ACIError correctlyTomas Babej2015-07-081-3/+5
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add ability to update profile config in DogtagFraser Tweedale2015-07-081-0/+12
| | | | | | | | | Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add option to export profile configFraser Tweedale2015-07-081-0/+8
| | | | | | | | | Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-081-1/+2
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-071-7/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-075-22/+295
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-037-39/+39
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* winsync_migrate: Generalize membership migrationTomas Babej2015-07-021-21/+78
| | | | | | https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync_migrate: Migrate memberships of the winsynced usersTomas Babej2015-07-021-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the tool under ipaserver.install packageTomas Babej2015-07-021-0/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Rename to tool to achive consistency with other toolsTomas Babej2015-07-022-28/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Delete winsync agreement prior to migrationTomas Babej2015-07-021-0/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require explicit specification of the target server and ↵Tomas Babej2015-07-021-0/+33
| | | | | | | | validate existing agreement https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require root privilegesTomas Babej2015-07-021-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Add debugging message to failing kinit as httpTomas Babej2015-07-021-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Change logging level for debug informationTomas Babej2015-07-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the api initalization and LDAP connection to the main ↵Tomas Babej2015-07-021-3/+12
| | | | | | | | method https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Add option validation and handlingTomas Babej2015-07-021-0/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Create user ID overrides in place of winsynced user entriesTomas Babej2015-07-021-0/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add a way to find all winsync usersTomas Babej2015-07-021-4/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add initial plumbingTomas Babej2015-07-022-0/+89
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* KRA Install: check replica file if contains req. certificatesMartin Basti2015-07-021-0/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugin base classes and modules using API propertiesJan Cholasta2015-07-011-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-0111-83/+37
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-12 02:25:38 +0000