| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
|
|
|
|
|
|
|
|
|
| |
Nested role is not supported in 2.0.x, so the association facet
for it should be removed from the UI. The attribute_members in
role.py needs to be fixed because it is used to generate the
association facet automatically.
Ticket 1092.
|
|
|
|
|
|
| |
Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one.
https://fedorahosted.org/freeipa/ticket/1102
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1086
Add Sylvain Baubeau to Contributors.txt
|
|
|
|
| |
ticket 1080
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
|
|
|
|
|
|
|
|
|
| |
When not on master we weren't passing in the user-supplied domain and
server. Because of changes made that require TLS on the LDAP calls
we always need the server name early in the process to retrieve the IPA
CA certificate.
ticket 1090
|
|
|
|
|
|
|
|
| |
Explicitly use the realm specified on the command line.
Many places were assuming that the domain and realm were the same.
https://bugzilla.redhat.com/show_bug.cgi?id=684690
https://fedorahosted.org/freeipa/ticket/1091
|
| |
|
|
|
|
|
|
|
|
| |
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
|
|
|
|
|
| |
Collaborated with ayoung to fix this problem:
https://fedorahosted.org/freeipa/ticket/1070
|
|
|
|
|
|
|
| |
This patch fixes a typo in class Service, function __get_conn which
causes ipa-dns-install script to fail every time.
https://fedorahosted.org/freeipa/ticket/1065
|
|
|
|
| |
ticket 1056
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it
used the value of gethostname() rather than the one that was passed
into the installer.
We have to modify the CA configuration of certmonger to make it
use the right principal when requesting certificates. The filename
is unpredicable but it will be in /var/lib/certmonger/cas.
We need to hunt for ipa_submit and add -k <principal> to it, then
undo that on uninstall. These files are created the first time
the certmonger service starts, so start and stop it before messing
with them.
ticket 1029
|
|
|
|
|
|
|
|
|
|
|
| |
stop_tracking() is robust enough to do the right thing if no certificate
exists so go ahead and always call it. If the certificate failed to
be issued for some reason the request will still in certmonger
after uninstalling. This would cause problems when trying to reinstall
the client. This will go ahead and always tell certmonger to stop
tracking it.
ticket 1028
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are cases when ipactl returns success even when it fails. Plus,
when the error really is detected the status codes are not LSB
compliant. This may result in consequent issues.
This patch improves error handling in ipactl and adds LSB compliant
status codes. Namely:
0 program is running or service is OK
3 program is not running
4 program or service status is unknown
for "status" action. Status code 4 is issued when IPA is not
configured to distinguish this state from not running IPA.
For other actions, the following non-zero status codes are
implemented:
1 generic or unspecified error
2 invalid or excess argument(s)
4 user had insufficient privilege
6 program is not configured
https://fedorahosted.org/freeipa/ticket/1055
|
| |
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
|
|
|
| |
Ticket 1054
|
| |
|
|
|
|
|
|
|
|
| |
The month in krblastpwdchange (LDAP Generalized Time) is 1-based
but the month in JavaScript Date.setUTCFullYear() is 0-based so it
needs a conversion.
Ticket 1053
|
|
|
|
|
|
|
| |
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.
ticket 729
|
|
|
|
|
|
|
| |
If we're going to be authoritative ourselves don't bother with what
other DNS servers think.
ticket 1036
|
| |
|
| |
|
|
|
|
|
|
| |
The patch also corrects exception handling in some of the tools.
Fix #874
|
|
|
|
| |
ticket 1048
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
|
|
|
|
|
|
|
| |
Jakub did the initial diagnosis of this, I added a fix for removing
the last entry when removing members and a test case.
ticket 1000
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
https://fedorahosted.org/freeipa/ticket/1002
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1011
Does not completely fix the problem in the ticket, but it does mitigate the failure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
|
|
|
|
|
| |
The correct attribute name for SUDO command group membership is
memberof_sudocmdgroup and it contains the group name instead of dn.
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1007
|
| |
|
|
|
|
| |
This reverts commit 79d22f8341026450ba7ca564e24812c9351c7e70.
|
|
|
|
| |
Ticket 1005
|
|
|
|
| |
ticket 1005
|
|
|
|
|
|
|
| |
Association facets based on memberofindirect attribute have been
removed because the attribute is non-assignable.
Ticket 1027
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1022
|