freeipa.git/ipaserver, branch patternfly Unnamed repository; edit this file 'description' to name the repository. Add mechanism for updating permissions to managed 2014-06-04T15:34:17+00:00 Petr Viktorin pviktori@redhat.com 2014-05-14T14:08:28+00:00 acb2ca47d68becca8c7385899c9107d5b6a13a1a Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Modified dns related global functions 2014-06-03T13:55:32+00:00 Martin Basti mbasti@redhat.com 2014-05-16T10:21:04+00:00 b964d2130a15d7b1561c66c721e3257ce0d24305 * Modified functions to use DNSName type * Removed unused functions Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa recursively adds old backups 2014-05-30T06:15:22+00:00 Gabe redhatrises@gmail.com 2014-05-28T23:16:04+00:00 9f2c4705d7e2fa83be95f005a78f83a399acfa72 - Added exclude for the ipa backup folder to the files tar https://fedorahosted.org/freeipa/ticket/4331 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
ldap2.has_upg: Raise an error if the UPG definition is not found 2014-05-29T14:22:37+00:00 Petr Viktorin pviktori@redhat.com 2014-05-27T15:07:13+00:00 4f89decc9a6020cbacbfa4406f32ce5465d49a72 The UPG Definition is always present in IPA; if it can not be read it's usually caused by insufficient privileges. Previously the code assumed the absence of the entry meant that UPG is disabled. With granular read permissions, this would mean that users that can add users but can't read UPG Definition would add users without UPG, and the reason for that would not be very clear. It is better to fail early if the definition can't be read. Raise an error if the UPG Definition is not available. This makes read access to it a prerequisite for adding users. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Call generate-rndc-key.sh during ipa-server-install 2014-05-27T11:05:53+00:00 Adam Misnyovszki amisnyov@redhat.com 2014-04-18T13:44:11+00:00 71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa Since systemd has by default a 2 minute timeout to start a service, the end of ipa-server-install might fail because starting named times out. This patch ensures that generate-rndc-key.sh runs before named service restart. Also, warning message is displayed before KDC install and generate-rndc-key.sh, if there is a lack of entropy, to notify the user that the process could take more time than expected. Modifications done by Martin Kosek: - removed whitespace at the end of installutils.py - the warning in krbinstance.py moved right before the step requiring entropy - slightly reworded the warning message https://fedorahosted.org/freeipa/ticket/4210 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
rpcserver: login_password datetime fix in expiration check 2014-05-26T11:08:34+00:00 Petr Vobornik pvoborni@redhat.com 2014-05-07T13:41:41+00:00 1e96475a77280bbdc883c66e0dc451ef0559c5fb krbpasswordexpiration conversion to time failed because now we get datetime object instead of string. https://fedorahosted.org/freeipa/ticket/4339 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.

https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Tomas Babej <tbabej@redhat.com>
ldap2.find_entries: Do not modify attrs_list in-place 2014-05-26T10:39:33+00:00 Petr Viktorin pviktori@redhat.com 2014-05-16T11:18:36+00:00 988b2cebf4bf6657eb50f5ecc57bd39425739b8b dap2.find_entries modified the passed in attrs_list to remove the virtual attributes memberindirect and memberofindirect before passing the list to LDAP. This means that a call like ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes) would permanently remove the virtual attributes from some_framework_object's definition. Create a copy of the list instead. https://fedorahosted.org/freeipa/ticket/4349 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove the global anonymous read ACI 2014-05-26T10:14:55+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:46:26+00:00 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:32:29+00:00 63becae88c6c270b98f0432dc474b661b82f3119 When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
update_managed_permissions: Pass around anonymous ACI rather than its blacklist 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:15:05+00:00 993c1c8557aafb890199b1c443ebd2d895ae6ba6 It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>