| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
It was discovered that using the batch plugin it was possible to
store duplicate data in parts of the ipa_config during iterations.
This was causing a cascading exec failures if any one of the batch
executions failed.
https://fedorahosted.org/freeipa/ticket/1220
|
|
|
|
|
|
|
|
| |
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.
https://fedorahosted.org/freeipa/ticket/1207
|
|
|
|
|
|
|
|
| |
Since selinux-policy-3.9.16-5.fc15 is out, the dogtag port 7390 is
handled via selinux-policy and there is no need to manage it in
FreeIPA installer.
https://fedorahosted.org/freeipa/ticket/1205
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option does not behave properly in F15 as chkconfig does not list services
moved to use systemd service files.
Plus there are more direct ways than parsing its output, which are more
reliable.
Also just testing for the availability of the service calling 'chkconfig name'
is enough.
https://fedorahosted.org/freeipa/ticket/1206
|
|
|
|
|
|
|
|
|
|
|
| |
When replica with DNS is installed, NS records for the managed zone
are not updated with the replica FQDN. The administrator then has
to do it manually to enroll the new DNS server to the zone.
This patch also removes the newly created NS records when the
replica is removed via ipa-replica-manage command.
https://fedorahosted.org/freeipa/ticket/1034
|
|
|
|
|
|
|
| |
Fix a logging error in ipa-ldap-updater which may cause IPA
installer to crash.
https://fedorahosted.org/freeipa/ticket/1199
|
|
|
|
|
|
|
|
|
|
|
| |
There are times where one side or the other is missing its peers
krbprincipalname when converting from simple to GSSAPI replication. Ticket
1188 should address the cause of this.
This patch provides better information and handling should either side
be missing.
ticket 1044
|
|
|
|
|
|
|
|
| |
Wait for DS ports to open after _every_ DS service restart.
Several restarts were missed by the current open port checker
implementation.
https://fedorahosted.org/freeipa/ticket/1182
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than doing full searches for members read each member individually
to determine if it is direct or indirect.
Also add a fail-safe when calculating indirect membership so removing
a member will log enough information for debugging (ticket 1133).
https://fedorahosted.org/freeipa/ticket/1139
https://fedorahosted.org/freeipa/ticket/1133
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was causing a replica DS instance to crash if the task was not
completed when we attempted a shutdown to do a restart.
In replication.py we were restarting the DS instance without waiting
for the ports to become available.
It is unlikely that the dn of the memberof task will change but just in
case I noted it in the two places it is referenced.
ticket 1188
|
| |
|
|
|
|
|
|
|
|
| |
This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.
ticket 1177
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.
This also gives priority to the DM password if it is passed in.
Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.
Ticket 1157
|
|
|
|
|
|
|
|
|
|
|
| |
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.
This requires 389-ds-base-1.2.8.0-1+
ticket 1153
|
|
|
|
|
|
|
|
| |
There are some operations that fetch the configuration multiple times.
This will return a cached value instead of getting it from LDAP over
and over.
ticket 1023
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1140
|
|
|
|
| |
ticket 1009
|
|
|
|
|
|
|
|
|
|
|
| |
When Directory Server operation is run right after the server restart
the listening ports may not be opened yet. This makes the installation
fail.
This patch fixes this issue by waiting for both secure and insecure
Directory Server ports to open after every restart.
https://fedorahosted.org/freeipa/ticket/1076
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
|
|
|
|
| |
ticket 1080
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
|
|
|
|
|
|
|
|
| |
Explicitly use the realm specified on the command line.
Many places were assuming that the domain and realm were the same.
https://bugzilla.redhat.com/show_bug.cgi?id=684690
https://fedorahosted.org/freeipa/ticket/1091
|
|
|
|
|
|
|
|
| |
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
|
|
|
|
|
|
|
| |
This patch fixes a typo in class Service, function __get_conn which
causes ipa-dns-install script to fail every time.
https://fedorahosted.org/freeipa/ticket/1065
|
|
|
|
|
|
| |
The patch also corrects exception handling in some of the tools.
Fix #874
|
|
|
|
|
|
|
| |
Jakub did the initial diagnosis of this, I added a fix for removing
the last entry when removing members and a test case.
ticket 1000
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1007
|
|
|
|
| |
ticket 1005
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1022
|
|
|
|
|
|
|
|
|
|
| |
By calling directly sasl_interactive_bind_s() we were not calling __lateinit()
This in turn resulted in some variables like dbdir not to be set on the
IPAadmin object.
Keep all bind types in the same place so the same common sbind steps can be
performed in each case.
Related to: https://fedorahosted.org/freeipa/ticket/1022
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1006
|
|
|
|
|
| |
Fix #904
Fix #917
|
|
|
|
|
|
|
|
| |
The group is now required because 389-ds has tightened the permissions
on /var/run/dirsrv. We use the same group for both our LDAP instances
and /var/run/dirsrv ends up as root:dirsrv mode 0770.
ticket 1010
|
|
|
|
|
|
|
|
|
|
|
|
| |
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
|
|
|
|
|
|
|
|
| |
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
|
|
|
|
|
|
|
|
|
|
|
| |
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.
I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.
ticket 585
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/977
|
|
|
|
|
|
|
|
|
|
|
| |
When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.
Back out the temporary code to ignore nss_shutdown errors.
ticket 965
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/935
|
| |
|
|
|
|
|
| |
This patch removes two files which seem to be long obsoleted and not
used any more.
|
|
|
|
| |
ticket 971
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
|
|
|
|
|
|
|
|
|
|
|
|
| |
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.
Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.
ticket 606
|
|
|
|
|
|
|
|
| |
We have no way to say "replace value X with Y". This would be useful
for us to replace a default value only if the user hasn't already
updated it.
related to ticket 930
|
|
|
|
|
|
|
|
|
|
| |
Request logging on the server only happened if you added verbose=True
or debug=True to the IPA config file. We should log the basics at
least: who, what, result.
Move a lot of entries from info to debug logging as well.
Related to ticket 873
|
|
|
|
| |
ticket 944
|