summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Use a common group for all DS instancesSimo Sorce2011-01-313-65/+58
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Add ldap2 method to retrieve allowed attributes for specified objectClasses.Pavel Zuna2011-01-261-3/+17
| | | | | | | ldap2.get_allowed_attribute(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser'
* Fix assorted bugs found by pylintJakub Hrozek2011-01-257-23/+5
|
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-252-3/+6
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-0/+58
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-252-0/+51
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Do not set a replication dn when using SASL/GSSAPI replicationSimo Sorce2011-01-241-23/+16
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/817
* Update kerberos password policy values on LDAP binds.Rob Crittenden2011-01-211-0/+4
| | | | | | | | | | | | | | | On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
* Add some basic filter validation to permissions and disallow empty filtersRob Crittenden2011-01-211-0/+2
| | | | | | | Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-0/+5
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Add a way to print output from commandsSimo Sorce2011-01-181-12/+15
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-182-2/+7
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Fix replica installation warningsSimo Sorce2011-01-141-2/+2
| | | | | We were attempting to re-add these entries on the replicas too. Which were failing because these containers, obviously, already existed there.
* Port installer and host plugin to the new DNS pluginJakub Hrozek2011-01-141-15/+15
| | | | | | * move ipa dns-resolve to the new plugin * port the installer and the host plugin to the new interface * remove the old plugin
* Remove radius options completely.Simo Sorce2011-01-141-2/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-142-3/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Use GSSAPI for replicationSimo Sorce2011-01-142-13/+141
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Refactor some replication codeSimo Sorce2011-01-142-94/+97
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* python-ldap fails gloriously if the search time limit is 0. Don't allow it.Rob Crittenden2011-01-141-0/+2
| | | | | | | | | Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns immediately. ticket 752
* Fix output of failed managedby hosts, allow a host to manage itself.Rob Crittenden2011-01-111-3/+9
| | | | | | | | | | | The output problem was a missing label for failed managedby. This also fixes a call to print_entry that was missing the flags argument. Add a flag to specify whether a group can be a member of itself, defaulting to False. ticket 708
* Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.Rob Crittenden2011-01-111-2/+2
| | | | | | | | | Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
* Enable low-level LDAP debugging.Rob Crittenden2011-01-111-1/+4
|
* Temporarily work around SSL connection issue causing installation to fail.Rob Crittenden2011-01-071-1/+2
| | | | | Not sure if this is an openldap-client, pem-nss or python-ldap problem yet but the installation is failing.
* Create the reverse zone by defaultJakub Hrozek2011-01-071-5/+3
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-074-68/+50
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-071-6/+31
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* fixes CA install problem in trac ticket 682John Dennis2011-01-051-18/+24
| | | | | | Do not call status after pkisilent, it will return non-zero. Instead restart server after pkisilent so configuration changes take effect, the check the status.
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-47/+4
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-1/+1
| | | | ticket 638
* Make ipa-replica-manage del actually remove all replication agreementsSimo Sorce2010-12-211-2/+4
| | | | | | | | The previous code was removing only one agreement, leaving all other in place. This would leave dangling replication agreements once the replica is uninstalled. Fixes: https://fedorahosted.org/freeipa/ticket/624
* Do not require DNS record, just warn if one is missingJakub Hrozek2010-12-211-9/+8
|
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-7/+14
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-211-0/+13
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-4/+4
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Add disconnect command to ipa-replica-manageSimo Sorce2010-12-211-0/+22
| | | | | | | | Can remove replication agreements between 2 replicas as long as it is not the last agreement (except for Ad replication agreements, which can always be removed). Fixes: https://fedorahosted.org/freeipa/ticket/551
* Remove common entries when deleting a master.Simo Sorce2010-12-213-3/+106
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Add replication related acis to all replicasSimo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* Fix race condition in installation due to use of asynchronous search.Simo Sorce2010-12-211-19/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/640
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2027-135/+135
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-202-43/+68
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+14
| | | | ticket 502
* Properly quote passwords sent to pkisilent so special characters work.Rob Crittenden2010-12-171-7/+7
| | | | | | Also check for url-encoded passwords before logging them. ticket 324
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-10/+0
| | | | ticket 599
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/543
* Save exception so it can be passed along.Rob Crittenden2010-12-111-1/+1
|
* Fix Install using dogtag.Simo Sorce2010-12-103-7/+15
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-105-47/+47
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Introduce ipa control script that reads configuration off ldapSimo Sorce2010-12-106-18/+72
| | | | | | | | | | | This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
* Split dsinstance configurationSimo Sorce2010-12-102-33/+82
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
generated by cgit (git 2.34.1) at 2024-05-03 13:57:12 +0000