| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fix #927
|
|
|
|
|
|
|
|
|
| |
A cosmetic patch to IPA server installation output aimed to make
capitalization in installer output consistent. Several installation
tasks started with a lowercase letter and several installation
task steps started with an uppercase letter.
https://fedorahosted.org/freeipa/ticket/776
|
|
|
|
|
|
|
| |
* Make host-add, host-del and reverse zone creation IPv6 aware
* Make Bind listen on IPv6 interfaces, too
https://fedorahosted.org/freeipa/ticket/398
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There wasn't an exception in the "is the server already installed"
check for a two-stage CA installation.
Made the installer slightly more robust. We create a cache file of
answers so the next run won't ask all the questions again. This cache
is removed when the installation is complete. Previously nothing would work
if the installer was run more than once, this should be fixed now.
The cache is encrypted using the DM password.
The second problem is that the tomcat6 init script returns control
before the web apps are up. Add a small loop in our restart method
to wait for the 9180 port to be available.
This also adds an additional restart to ensure that nonces are disabled.
ticket 835
revise
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/887
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/881
|
|
|
|
| |
This fixes an installation failure.
|
|
|
|
|
|
|
|
| |
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
|
|
|
|
|
|
|
| |
ldap2.get_allowed_attribute(['posixuser'])
returns a list of unicode all lower case attribute names allowed
for the object class 'posixuser'
|
| |
|
|
|
|
|
|
| |
Avoids ipa-replica-manage to throw up errors.
Fixes: https://fedorahosted.org/freeipa/ticket/807
|
|
|
|
|
|
|
| |
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/820
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/817
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
|
|
|
|
|
|
|
| |
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.
ticket 808
|
|
|
|
|
|
|
|
| |
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/812
|
|
|
|
|
|
|
|
| |
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.
Fixes: https://fedorahosted.org/freeipa/ticket/765
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a randomly generated password contains a space character
as the first or the last character, installation fails on
kdb5_ldap_util calling, which does not accept that. This patch
fixes the generator to generate space only on allowed position.
This patch also ensures that no password is printed to
server install log.
https://fedorahosted.org/freeipa/ticket/731
|
|
|
|
|
| |
We were attempting to re-add these entries on the replicas too.
Which were failing because these containers, obviously, already existed there.
|
|
|
|
|
|
| |
* move ipa dns-resolve to the new plugin
* port the installer and the host plugin to the new interface
* remove the old plugin
|
|
|
|
|
|
|
| |
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/760
|
|
|
|
|
|
|
| |
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
|
|
|
|
|
| |
This simplifies or rationalizes some code in order to make it easier to change
it to fix bug #690
|
|
|
|
|
|
|
|
|
| |
Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.
ticket 752
|
|
|
|
|
|
|
|
|
|
|
| |
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
|
|
|
|
|
|
|
|
|
| |
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
|
| |
|
|
|
|
|
| |
Not sure if this is an openldap-client, pem-nss or python-ldap problem yet
but the installation is failing.
|
|
|
|
|
|
| |
A new option to specify reverse zone creation for unattended installs
https://fedorahosted.org/freeipa/ticket/678
|
|
|
|
|
|
|
| |
Do this by creating a common way to attach to the ldap server for each
instance.
Fixes: https://fedorahosted.org/freeipa/ticket/686
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/645
|
|
|
|
|
|
| |
Do not call status after pkisilent, it will return non-zero.
Instead restart server after pkisilent so configuration
changes take effect, the check the status.
|
|
|
|
|
|
|
|
|
|
| |
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
|
|
|
|
| |
ticket 638
|
|
|
|
|
|
|
|
| |
The previous code was removing only one agreement, leaving all other in place.
This would leave dangling replication agreements once the replica is
uninstalled.
Fixes: https://fedorahosted.org/freeipa/ticket/624
|
| |
|
|
|
|
|
|
|
|
| |
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
|
|
|
|
|
|
|
|
|
| |
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
|
|
|
|
|
|
|
| |
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements
Fixes: https://fedorahosted.org/freeipa/ticket/625
|
|
|
|
|
|
|
|
| |
Can remove replication agreements between 2 replicas as long as it is
not the last agreement (except for Ad replication agreements, which can
always be removed).
Fixes: https://fedorahosted.org/freeipa/ticket/551
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/550
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/617
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/640
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
|
|
|
| |
ticket 502
|