freeipa.git/ipaserver, branch master Unnamed repository; edit this file 'description' to name the repository. Always record that pkicreate has been executed. 2014-07-22T07:03:56+00:00 David Kupka dkupka@redhat.com 2014-07-21T13:57:18+00:00 41b057e38757c0acf1d600245269851f532df389 Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Record that pkicreate/pkispawn has been executed to allow cleanup even if the
installation did not finish correctly.

https://fedorahosted.org/freeipa/ticket/2796

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fix login password expiration detection with OTP 2014-07-21T14:36:28+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-14T18:39:00+00:00 e4771302812388cc7f9773ce48d0bc3b34855248 The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.

After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.

https://fedorahosted.org/freeipa/ticket/4412

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Enable debug pid in smb.conf 2014-07-18T08:10:46+00:00 Gabe redhatrises@gmail.com 2014-07-14T22:18:00+00:00 2afcbff133fbb9659a23633283c455a1851589df https://fedorahosted.org/freeipa/ticket/3485 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3485

Reviewed-By: Tomas Babej <tbabej@redhat.com>
ldap2 indirect membership processing: Use global limits if greater than per-query ones 2014-07-14T14:04:58+00:00 Petr Viktorin pviktori@redhat.com 2014-06-25T11:55:58+00:00 73b2d0a81dc09acbcae0e4388d1043780a171f3b Calling an ipa *-find command with --sizelimit=1 on an entry with more members would result in a LimitsExceeded error as the search for members was limited to 1 entry. For the memberof searches, only apply the global limit if it's larger than the requested one, so decreasing limits on the individual query only affects the query itself. https://fedorahosted.org/freeipa/ticket/4398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.

For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.

https://fedorahosted.org/freeipa/ticket/4398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ldapupdate: Restore 'replace' functionality 2014-07-04T13:51:55+00:00 Petr Viktorin pviktori@redhat.com 2014-07-04T07:50:58+00:00 2f99140c92f05c9ff11ff57002cb87784c632091 The replace directive was made a no-op by mistake in commit 6381d76. Restore it. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
The replace directive was made a no-op by mistake in commit 6381d76.
Restore it.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Restore privileges after forward zones update 2014-07-04T10:48:50+00:00 Martin Basti mbasti@redhat.com 2014-07-03T13:50:27+00:00 f8b6595f4999740a704bcdae6d4f9b5021f7f61f Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Spacek <pspacek@redhat.com>
ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration 2014-07-04T06:13:23+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-07-02T13:30:18+00:00 a9fe37e0664079ad2da7b0d9b9b7c7e244a25bf9 When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Fix upgrade to forward zones 2014-07-03T12:04:57+00:00 Martin Basti mbasti@redhat.com 2014-07-02T17:04:39+00:00 eea101544125895b3d4f66b61cf8e3870bffed66 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow to add non string values to named conf 2014-07-02T16:41:57+00:00 Martin Basti mbasti@redhat.com 2014-06-27T15:04:15+00:00 5c2ddaf6606736074c4b548592405a8e98027308 Non string values should not start and end with '"' in options section in named.conf Required by ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Non string values should not start and end with '"' in options section
in named.conf

Required by ticket: https://fedorahosted.org/freeipa/ticket/4408

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etc 2014-07-02T14:16:09+00:00 Petr Viktorin pviktori@redhat.com 2014-06-12T16:07:40+00:00 8c98561c209d0ccaa692a335e3e9a10aec23ee0e On systems installed before #3394 was fixed and nsDS5ReplicaId became single-valued, there are two replica ID values stored in cn=replication: the default (3) and the actual value we want. Instead of failing when multiple values are found, use the largest one. https://fedorahosted.org/freeipa/ticket/4375 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
On systems installed before #3394 was fixed and nsDS5ReplicaId became
single-valued, there are two replica ID values stored in cn=replication:
the default (3) and the actual value we want.
Instead of failing when multiple values are found, use the largest one.

https://fedorahosted.org/freeipa/ticket/4375

Reviewed-By: Martin Kosek <mkosek@redhat.com>