summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ipa-sam: report supported enctypes based on Kerberos realm configurationAlexander Bokovoy2013-09-201-12/+117
| | | | | | | | | | | | | | | | | | | We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898
* ipa-sam: do not leak LDAPMessage on ipa-sam initializationAlexander Bokovoy2013-09-201-2/+7
| | | | | | | | We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-203-41/+81
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* Use getent admin@domain for nss check in ipa-client-installTomas Babej2013-09-201-2/+2
| | | | | | | | Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss is working properly since admin@REALM check fails in case the domain and the realm name does not match. https://fedorahosted.org/freeipa/ticket/3906
* Fix -Wformat-security warningsKrzysztof Klimonda2013-09-162-7/+7
|
* Don't exclude symlinks when loading pluginsNick Hatch2013-09-161-1/+1
|
* Don't search platform pathTimo Aaltonen2013-09-161-1/+1
| | | | Don't use Python.h from the platform specific path
* Use /usr/bin/python as fallback python pathTimo Aaltonen2013-09-161-1/+1
|
* Fix redirection on deletion of last dns record entryPetr Vobornik2013-09-162-2/+21
| | | | https://fedorahosted.org/freeipa/ticket/3907
* Follow tmpfiles.d packaging guidelinesAna Krivokapic2013-09-161-3/+6
| | | | https://fedorahosted.org/freeipa/ticket/3881
* Do not show unexpected error in ipa-ldap-updaterAna Krivokapic2013-09-161-0/+2
| | | | | | | Prevent showing of unfriendly "Unexpected error" message, when providing incorrect DM password to ipa-ldap-updater. https://fedorahosted.org/freeipa/ticket/3825
* Add Delegation Info to MS-PACSimo Sorce2013-09-131-2/+160
| | | | https://fedorahosted.org/freeipa/ticket/3442
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-104-11/+13
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Do not crash if DS is down during server uninstallAna Krivokapic2013-09-091-23/+41
| | | | | | | | DS is contacted during server uninstallation, in order to obtain information about replication agreements. If DS is unavailable, warn and continue with uninstallation. https://fedorahosted.org/freeipa/ticket/3867
* Fix invocations of FileError in ipa-client-installAna Krivokapic2013-09-091-10/+12
| | | | | | | | Some of the FileErrors in ipa-client-install were raised incorrectly (without the 'reason' argument), which resulted in bad error messages during ipa-client-install. https://fedorahosted.org/freeipa/ticket/3758
* Replace ntpdate calls with ntpdAna Krivokapic2013-09-091-14/+12
| | | | | | | Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20), replace ntpdate calls with ntpd. https://fedorahosted.org/freeipa/ticket/3797
* Make make-lint compatible with Pylint 1.0Petr Viktorin2013-09-061-4/+17
| | | | | | | | | | | | | Pylint 1.0 was released[0] and it brings some incompatibilities, as well as a bug[1] that's triggered by FreeIPA code. This patch updates make-lint to be compatible with Pylint 1.0, while keeping support for version 0.26. [0] http://www.logilab.org/blogentry/163292 [1] https://bitbucket.org/logilab/pylint/issue/47 Ticket: https://fedorahosted.org/freeipa/ticket/3865
* Remove __all__ specifications in ipaclient and ipaserver.installPetr Viktorin2013-09-062-5/+0
| | | | | | | | | | | The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning.
* Add timestamps to named debug logs in /var/named/data/named.runPetr Spacek2013-09-061-0/+1
|
* Add option to ipa-client-install to configure automountAna Krivokapic2013-09-052-1/+32
| | | | | | | Add the --automount-location option to ipa-client-install. If the option is used, ipa-client-automount is called at the end of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3740
* Fix RUV search scope in ipa-replica-managePetr Vobornik2013-09-042-1/+11
| | | | | | | | The search had an incorrect scope and therefore it didn't find any RUV. This issue prevented removing of replica. https://fedorahosted.org/freeipa/ticket/3876
* Add warning when uninstalling active replicaAna Krivokapic2013-09-041-5/+31
| | | | | | | Add a warning when trying to uninstall a replica that has active replication agreements. https://fedorahosted.org/freeipa/ticket/3867
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-024-52/+59
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Add integration tests for forced client re-enrollmentAna Krivokapic2013-09-021-0/+278
| | | | | | | Add integration tests for the forced client re-enrollment feature: http://www.freeipa.org/page/V3/Forced_client_re-enrollment#Test_Plan https://fedorahosted.org/freeipa/ticket/3832
* EXTDOM: Do not overwrite domain_name for INP_SIDJakub Hrozek2013-08-291-2/+0
|
* CLDAP: make sure an empty reply is returned on any errorSumit Bose2013-08-291-1/+2
| | | | | | If ipa_cldap_decode() reply is not initialized. Fixes https://fedorahosted.org/freeipa/ticket/3885
* Re-order NULL check in ipa_lockout.Rob Crittenden2013-08-291-2/+1
| | | | | | | | There is no risk of crash here as slapi_valueset_first_value() can handle the case where the valueset is NULL, but there is no point in calling that if we know there are no values. https://fedorahosted.org/freeipa/ticket/3880
* Add man pages for testing toolsPetr Viktorin2013-08-298-1/+405
| | | | | | Add man pages for ipa-run-tests, ipa-test-task, and ipa-test-config. https://fedorahosted.org/freeipa/ticket/3855 (part 5)
* Log proper error message when defaultNamingContext not foundTomas Babej2013-08-291-1/+7
|
* Fix service-disable in CA-less install.Jan Cholasta2013-08-291-20/+21
| | | | https://fedorahosted.org/freeipa/ticket/3886
* Add CA-less install testsPetr Viktorin2013-08-283-0/+1481
| | | | | | | | | | | | | | | | | | | | | | | Differences from the test plan at http://www.freeipa.org/index.php?title=V3/CA-less_install&oldid=6669 are: - The following tests are included in all applicable positive install tests, rather than being standalone test cases: - Verify CA certificate stored in LDAP - Verify CA PEM file created by IPA server install - Verify that IPA server install does not configure certmonger - Verify CA PEM file created by IPA replica install - Verify that IPA replica install does not configure certmonger - Verify CA PEM file created by IPA client install - PKI setup is done only once for each test class - Master installation is done once for the IPA command tests, and once for the certinstall tests - Certificates are compared after base64 decoding to avoid failures from formatting mismatches - Minor changes necessary for automation (e.g. adding --unattended and --password options, correcting error messages) - Web UI tests are not included here https://fedorahosted.org/freeipa/ticket/3830
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-2813-131/+207
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Add missing license header to ipa-test-configPetr Viktorin2013-08-281-0/+19
|
* Update idrange search facet after trust creationPetr Vobornik2013-08-283-6/+10
| | | | | | Adding a trust creates a range -> range search facet should be marked as expired. https://fedorahosted.org/freeipa/ticket/3874
* kdb-princ: Fix memory leakSimo Sorce2013-08-281-0/+1
| | | | | | | | | | If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884
* kdb-mspac: Fix out of bounds memsetSimo Sorce2013-08-281-1/+1
| | | | | | | | | | This memset was harmless as the following data is then set again, but an optimizing compiler might conceivably reorder instructions causing issues. CoverityID: 11909 Fixes: https://fedorahosted.org/freeipa/ticket/3883
* pwd-plugin: Fix ignored return errorSimo Sorce2013-08-281-3/+8
| | | | | | | | | CoverityID: 11904 Also remove 'inline', the compiler can do it on its own if needed. Fixes: https://fedorahosted.org/freeipa/ticket/3882
* Fix ipa-server-certinstall usage string.Jan Cholasta2013-08-281-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Add --dirman-password option to ipa-server-certinstall.Jan Cholasta2013-08-282-4/+11
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Fix nsSaslMapping object class before configuring SASL mappings.Jan Cholasta2013-08-271-0/+11
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3778
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Add integration tests for Kerberos FlagsAna Krivokapic2013-08-271-0/+191
| | | | | | | | Add integration tests for the Kerberos Flags feature: http://www.freeipa.org/page/V3/Kerberos_Flags#Test_Plan (except the web UI tests). https://fedorahosted.org/freeipa/ticket/3831
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-266-40/+101
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Perform dirsrv tuning at platform levelTomas Babej2013-08-263-57/+100
| | | | | | | | | | | | | | | | When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823
* Show human-readable error name in error dialog titlePetr Vobornik2013-08-262-2/+3
| | | | | | Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title.
* Remove redundant shebangsTomas Babej2013-08-265-7/+2
| | | | | | Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853
* Web UI integration tests: ID range typesPetr Vobornik2013-08-224-68/+277
| | | | https://fedorahosted.org/freeipa/ticket/3834
* Web UI Integration tests: Kerberos FlagsPetr Vobornik2013-08-222-3/+49
| | | | | | Tests according to: http://www.freeipa.org/page/V3/Kerberos_Flags https://fedorahosted.org/freeipa/ticket/3831
* Web UI integration tests: CA-lessPetr Vobornik2013-08-224-3/+101
| | | | | | Test cases according to: http://www.freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3830
* Hide 'New Certificate' action on CA-less installPetr Vobornik2013-08-221-0/+1
| | | | | | This action calls cert-request command which is not available on CA-less installs. Thus this action won't be enabled and therefore there is no reason to keep it visible. https://fedorahosted.org/freeipa/ticket/3363
generated by cgit (git 2.34.1) at 2025-08-31 04:19:19 +0000