summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Temporarily work around SSL connection issue causing installation to fail.Rob Crittenden2011-01-071-1/+2
| | | | | Not sure if this is an openldap-client, pem-nss or python-ldap problem yet but the installation is failing.
* Create the reverse zone by defaultJakub Hrozek2011-01-071-5/+3
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-074-68/+50
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-071-6/+31
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* fixes CA install problem in trac ticket 682John Dennis2011-01-051-18/+24
| | | | | | Do not call status after pkisilent, it will return non-zero. Instead restart server after pkisilent so configuration changes take effect, the check the status.
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-47/+4
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-1/+1
| | | | ticket 638
* Make ipa-replica-manage del actually remove all replication agreementsSimo Sorce2010-12-211-2/+4
| | | | | | | | The previous code was removing only one agreement, leaving all other in place. This would leave dangling replication agreements once the replica is uninstalled. Fixes: https://fedorahosted.org/freeipa/ticket/624
* Do not require DNS record, just warn if one is missingJakub Hrozek2010-12-211-9/+8
|
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-7/+14
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-211-0/+13
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-4/+4
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Add disconnect command to ipa-replica-manageSimo Sorce2010-12-211-0/+22
| | | | | | | | Can remove replication agreements between 2 replicas as long as it is not the last agreement (except for Ad replication agreements, which can always be removed). Fixes: https://fedorahosted.org/freeipa/ticket/551
* Remove common entries when deleting a master.Simo Sorce2010-12-213-3/+106
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Add replication related acis to all replicasSimo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* Fix race condition in installation due to use of asynchronous search.Simo Sorce2010-12-211-19/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/640
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2027-135/+135
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-202-43/+68
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+14
| | | | ticket 502
* Properly quote passwords sent to pkisilent so special characters work.Rob Crittenden2010-12-171-7/+7
| | | | | | Also check for url-encoded passwords before logging them. ticket 324
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-10/+0
| | | | ticket 599
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/543
* Save exception so it can be passed along.Rob Crittenden2010-12-111-1/+1
|
* Fix Install using dogtag.Simo Sorce2010-12-103-7/+15
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-105-47/+47
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Introduce ipa control script that reads configuration off ldapSimo Sorce2010-12-106-18/+72
| | | | | | | | | | | This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
* Split dsinstance configurationSimo Sorce2010-12-102-33/+82
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Fix search filter generator in ldap2 for NOT operator.Pavel Zuna2010-12-081-0/+6
| | | | | Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE).
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-0/+2
| | | | ticket 496
* Ensure list of attrs to retrieve is unique, optimize getting indirect membersRob Crittenden2010-12-061-3/+9
| | | | | | | | | | | This fixes search where we were asking for the member attribute 10 or more times. When retrieving indirect members make sure we always pass around the size and time limits so we don't have to look it up with every call to find_entries() ticket 557
* Do not create reverse zone by defaultJakub Hrozek2010-12-021-2/+10
| | | | | | | Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-1/+1
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-302-1/+5
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+1
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Don't use full pathnames for kerberos binaries, let PATH find them.Rob Crittenden2010-11-221-1/+1
| | | | | Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out.
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-221-4/+66
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* Save and restore on uninstall ds related config filesSimo Sorce2010-11-222-1/+14
|
* id ranges: change DNA configurationSimo Sorce2010-11-221-17/+19
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Configure KDC to use multiple workersSimo Sorce2010-11-221-0/+34
| | | | | Only if more than one CPU is available Only if supported by the installed krb5kdc
* Exclude Krb lockout attributes from replicationSimo Sorce2010-11-181-1/+8
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/440
* pkinit-replica: create certificates for replicas tooSimo Sorce2010-11-182-5/+27
| | | | | altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
* anon-pkinit: add well known principalSimo Sorce2010-11-181-0/+18
| | | | | | leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
* Add support for configuring KDC certs for PKINITSimo Sorce2010-11-182-5/+129
| | | | | This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
* Use Realm as certs subject base nameSimo Sorce2010-11-185-24/+34
| | | | Also use the realm name as nickname for the CA certificate
* Set CACERTDIR during install to work around openldap bugJakub Hrozek2010-11-111-1/+3
| | | | | | | | Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around the issue by setting both into the environment. https://fedorahosted.org/freeipa/ticket/467
* Fix NotFound exception in ipa-nis-manage.Rob Crittenden2010-11-091-1/+1
| | | | | | | | The signature of ldap2.get_entry() changed so normalize wasn't being handled properly so the basedn was always being appended causing our entry in cn=config to be not found. ticket 414
* Rename 60sudo.ldif to 60ipasudo.ldif to not overwrite the 389-ds version.Rob Crittenden2010-11-091-2/+2
| | | | | | This meant that the compat sudo schema was not available. ticket 439
* Use kerberos password policy.Rob Crittenden2010-11-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Populate indirect members when showing a group object.Rob Crittenden2010-10-281-0/+71
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-281-0/+2
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
generated by cgit (git 2.34.1) at 2024-11-11 17:50:30 +0000