| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This tests the general workflow for OTP including most possible
token combinations. This includes 5872 tests. Further optimization
is possible to reduce the number of duplicate tests run.
Things not yet tested:
* ipa-kdb
* ipa-otpd
* otptoken-sync
* RADIUS proxy
* token self-management
* type specific attributes
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4783
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
Due workaroud we accidentaly started to check certificate, which causes
problems during installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
| |
SSHFP records added by nsupdate contains extra space (valid), framework
couldn't handle it.
Ticket: https://fedorahosted.org/freeipa/ticket/4790
Ticket: https://fedorahosted.org/freeipa/ticket/4789
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4781
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4781
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
| |
This is just workaround
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes.
https://fedorahosted.org/freeipa/ticket/4794
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4744
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.
https://fedorahosted.org/freeipa/ticket/4784
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.
https://fedorahosted.org/freeipa/ticket/4765
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
| |
There was error in code, masking was executed more times, even it was
succesful
https://fedorahosted.org/freeipa/ticket/4755
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
| |
by 66%
https://fedorahosted.org/freeipa/ticket/4792
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
Missed part of field refactoring caused that service could not be unprovisioned.
https://fedorahosted.org/freeipa/ticket/4770
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general, TCP is a better fit for FreeIPA due to large packet sizes.
However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.
https://fedorahosted.org/freeipa/ticket/4725
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.
https://fedorahosted.org/freeipa/ticket/4774
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
| |
This allows the various OTP related commands to be grouped together
in the IPA CLI documentation.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4780
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.
https://fedorahosted.org/freeipa/ticket/4697
https://fedorahosted.org/freeipa/ticket/4719
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
|
|
|
|
|
| |
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
|
|
|
|
|
| |
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4771
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
OTP token tests do not properly reinitialize the NSS db, thus
making subsequent xmlrpc tests fail on SSL cert validation.
Make sure NSS db is re-initalized in the teardown method.
https://fedorahosted.org/freeipa/ticket/4748
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4695
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4693
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4766
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
add --radius=ID --radius-username=radiusUserName to Web UI
https://fedorahosted.org/freeipa/ticket/4686
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This file is copied to older servers that might not have the ipaplatform
refactoring.
Import from the old location if the new one is not available.
https://fedorahosted.org/freeipa/ticket/4763
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4643
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|