| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1007
|
|
|
|
|
|
|
|
|
|
| |
By calling directly sasl_interactive_bind_s() we were not calling __lateinit()
This in turn resulted in some variables like dbdir not to be set on the
IPAadmin object.
Keep all bind types in the same place so the same common sbind steps can be
performed in each case.
Related to: https://fedorahosted.org/freeipa/ticket/1022
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/831
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/615
|
|
|
|
|
|
|
|
| |
Trying to run ipactl as non-root results in a slew of bogus
error messages, some of which come because dirsrv can't read certain
files as the wrong user, some based on our handling of that fact.
ticket 936
|
|
|
|
|
|
|
|
|
|
|
| |
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
a dogtag server.
The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
|
|
|
|
|
|
|
| |
This was resulting in a traceback because while conn was not None
it wasn't connected either.
ticket 920
|
|
|
|
|
|
|
| |
This patch fixes behavior of ipa-dns-install, which does not
exit when an invalid configuration of /etc/hosts is detected.
https://fedorahosted.org/freeipa/ticket/736
|
|
|
|
|
|
|
| |
This patch fixes ipactl to return non-zero value when something
goes wrong.
https://fedorahosted.org/freeipa/ticket/894
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
|
|
|
|
|
|
|
|
|
| |
The state is read only at initialization time. This works ok when
individual services remove their state data but when worked upon again
at the top-level it still has the full state in memory, so when the
state file is re-written all of the data that was removed is re-added.
ticket 916
|
|
|
|
|
|
|
|
|
| |
A cosmetic patch to IPA server installation output aimed to make
capitalization in installer output consistent. Several installation
tasks started with a lowercase letter and several installation
task steps started with an uppercase letter.
https://fedorahosted.org/freeipa/ticket/776
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There wasn't an exception in the "is the server already installed"
check for a two-stage CA installation.
Made the installer slightly more robust. We create a cache file of
answers so the next run won't ask all the questions again. This cache
is removed when the installation is complete. Previously nothing would work
if the installer was run more than once, this should be fixed now.
The cache is encrypted using the DM password.
The second problem is that the tomcat6 init script returns control
before the web apps are up. Add a small loop in our restart method
to wait for the 9180 port to be available.
This also adds an additional restart to ensure that nonces are disabled.
ticket 835
revise
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/887
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/881
|
|
|
|
|
|
|
|
| |
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.
Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.
ticket 751
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/860
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/833
|
|
|
|
|
|
|
| |
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/820
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/836
|
| |
|
|
|
|
|
|
|
|
| |
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
|
|
|
|
|
| |
Init scripts normally do not log to syslog, instead they write errors to the
stderr pipe. Do the same.
|
|
|
|
|
|
|
|
| |
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.
Fixes: https://fedorahosted.org/freeipa/ticket/765
|
|
|
|
| |
ticket 608
|
|
|
|
|
|
|
|
| |
Now that we can setup GSSAPI authenticated replication we are not
tied to use the Directory Manager password to set up replication
agreements.
Fixes: https://fedorahosted.org/freeipa/ticket/644
|
|
|
|
|
|
|
| |
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
|
|
|
|
|
| |
We can't use arbitrary ports anyway. And neither AD has any way to use non
stadard ports. So remove this unnecessary option.
|
| |
|
|
|
|
|
| |
This simplifies or rationalizes some code in order to make it easier to change
it to fix bug #690
|
|
|
|
|
|
|
|
|
| |
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
|
|
|
|
| |
ticket 734
|
|
|
|
|
|
| |
A new option to specify reverse zone creation for unattended installs
https://fedorahosted.org/freeipa/ticket/678
|
|
|
|
|
|
|
| |
Do this by creating a common way to attach to the ldap server for each
instance.
Fixes: https://fedorahosted.org/freeipa/ticket/686
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/645
|
|
|
|
|
|
|
| |
This will prevent certmonger failures. On very minimal installs it seems
that messagebus is not always started.
ticket 528
|
| |
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/627
|
|
|
|
|
|
|
| |
Currently the code depends on using a password to create replication
agreements. so this patch forces the request of the dirmgr password until we
can fix the internal issues that prevent using the amdin user with SASL/GSSAPI
to create replication agreements.
|
|
|
|
|
|
|
|
| |
The previous code was removing only one agreement, leaving all other in place.
This would leave dangling replication agreements once the replica is
uninstalled.
Fixes: https://fedorahosted.org/freeipa/ticket/624
|
|
|
|
| |
is a one liner to fix.
|
|
|
|
|
|
|
|
| |
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
|
|
|
|
|
|
|
|
|
| |
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
|
|
|
|
|
|
|
| |
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements
Fixes: https://fedorahosted.org/freeipa/ticket/625
|
|
|
|
|
|
| |
This change also improves command syntax parsing
Fixes: https://fedorahosted.org/freeipa/ticket/623
|