summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Changed CLI to allow to use FILE as optional paramMartin Basti2013-12-021-5/+7
|
* Own /usr/share/ipa/ui/js/ in the spec file.Jan Cholasta2013-12-021-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/4010
* Use hardening flags for ipa-optd.Jan Cholasta2013-12-022-1/+5
| | | | https://fedorahosted.org/freeipa/ticket/4010
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-292-17/+38
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Make Expression field required when adding automember conditionAna Krivokapic2013-11-271-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/4053
* Remove unused method get_api of the ldap2 plugin.Jan Cholasta2013-11-271-3/+0
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Refactor indirect membership processing.Jan Cholasta2013-11-271-182/+67
| | | | | | A single LDAP search is now used instead of one search per member. https://fedorahosted.org/freeipa/ticket/3971
* Support searches with paged results control in LDAPClient.Jan Cholasta2013-11-272-18/+61
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Add wrapper for result3 to IPASimpleLDAPObject.Jan Cholasta2013-11-271-0/+5
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Move IPA specific code from LDAPClient to the ldap2 plugin.Jan Cholasta2013-11-272-212/+211
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Add server/protocol type to rpcserver logsPetr Viktorin2013-11-261-4/+17
| | | | | | Add the server class name, such as [xmlserver] or [jsonserver_kerb] to the server logs. This will allow easier debugging of problems specific to a protocol or server class.
* Make jsonserver_kerb start a cookie-based sessionPetr Viktorin2013-11-261-1/+10
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3299
* Switch client to JSON-RPCPetr Viktorin2013-11-2618-176/+329
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* Add krbticketPolicyAux objectclass if neededSimo Sorce2013-11-262-0/+35
| | | | | | When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
* Remove changelog from the specPetr Viktorin2013-11-261-732/+3
| | | | | | | | The project's history is kept in Git. We used the spec changelog for changes to the spec itself, which doesn't make much sense. Downstreams like Fedora use their own changelog anyway. A single entry is left for tools that expect a changelog.
* trusts: Always stop and disable smb service on uninstallTomas Babej2013-11-261-8/+7
| | | | https://fedorahosted.org/freeipa/ticket/4042
* Improve LDAPEntry.__repr__ for freshly created entriesPetr Viktorin2013-11-261-1/+3
| | | | | | | Creating a LDAPEntry from dict does not set the raw entries, to display everything we need to combine the underlying data. https://fedorahosted.org/freeipa/ticket/4015
* Remove mod_ssl port workaround.Jan Cholasta2013-11-263-12/+15
| | | | https://fedorahosted.org/freeipa/ticket/4021
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* Break long doc string in the Host pluginPetr Viktorin2013-11-214-81/+387
| | | | | | Also split the translations in French and Ukraininan Part of https://fedorahosted.org/freeipa/ticket/3587
* Add ConcatenatedLazyText objectPetr Viktorin2013-11-213-2/+94
| | | | | | | | This object will allow splitting large translatable strings into more pieces, so translators don't have to re-translate the entire text when a small part changes. https://fedorahosted.org/freeipa/ticket/3587
* Update translations from TransifexPetr Viktorin2013-11-2117-734/+541
|
* ipa-client-install: Publish CA certificate to systemwide storeTomas Babej2013-11-203-3/+88
| | | | | | | | | | | During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504
* platform: Add Fedora 19 platform fileTomas Babej2013-11-203-0/+69
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3504
* WebUI: Add userClass attribute to user and host pagesAna Krivokapic2013-11-192-2/+9
| | | | | | | | | Add userClass attribute to: - user and host adder dialogs - user and host detail facets Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3590
* Add userClass attribute for usersAna Krivokapic2013-11-195-11/+71
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Unify capitalization of attribute names in schema filesPetr Viktorin2013-11-183-19/+19
| | | | | | | | | | | Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly if they use inconsistent capitalization. This patch works around the bug in IPA schema files. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Note: git's --word-diff option is recommended for viewing these changes
* Add formerly update-only schemaPetr Viktorin2013-11-185-2/+45
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* Make schema files conform to new updaterPetr Viktorin2013-11-187-20/+20
| | | | | | | | | | | | | | | | | The new schema updater only compares textual representations of schema elements, as formatted by python-ldap. This works well, but it is too strict for the current schema files in two ways: - For attribute names in MAY and MUST, the correct letter case must be used - AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if they are the same as its supertype's. When these restrictions are not followed, the updater will always overwrite the schema element. This is harmless but it fills up the log unnecessarily. Modify the schema files to conform to these restrictions. Part of the work for https://fedorahosted.org/freeipa/ticket/3454 Note: git's --word-diff option is recommended for viewing these changes
* Remove schema special-casing from the LDAP updaterPetr Viktorin2013-11-182-130/+12
| | | | | | | Now that there's a dedicated schema updater, we do not need the code in ldapupdate. https://fedorahosted.org/freeipa/ticket/3454
* Remove schema modifications from update filesPetr Viktorin2013-11-1813-532/+1
| | | | | | | As schema is now handled by the schema updater, these entries are superfluous. https://fedorahosted.org/freeipa/ticket/3454
* Update the man page for ipa-ldap-updaterPetr Viktorin2013-11-181-8/+20
|
* Add schema updater based on IPA schema filesPetr Viktorin2013-11-184-5/+180
| | | | | | | | | | | | The new updater is run as part of `ipa-ldap-updater --upgrade` and `ipa-ldap-updater --schema` (--schema is a new option). The --schema-file option to ipa-ldap-updater may be used (multiple times) to select a non-default set of schema files to update against. The updater adds an X-ORIGIN tag with the current IPA version to all elements it adds or modifies. https://fedorahosted.org/freeipa/ticket/3454
* dsinstance: Move the list of schema filenames to a constantPetr Viktorin2013-11-181-9/+14
| | | | Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* ldapupdate: Factor out connection codePetr Viktorin2013-11-181-40/+36
| | | | | | | The connection code will be the same for both the LDAP updater and the new schema updater. Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* Removed old firefox configuration scriptsMartin Basti2013-11-159-191/+0
| | | | Part of ticket https://fedorahosted.org/freeipa/ticket/3821
* ipa-client-install: Added options to configure firefoxMartin Basti2013-11-155-4/+122
| | | | | | | | | Option --configure-firefox configures firefox to use Kerberos credentials within IPA domain Optional option --firefox-dir=DIR allows to user to specify non-standard path where firefox install directory is placed. Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
* Add web UI integration tests for automember rebuildAna Krivokapic2013-11-151-0/+197
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3928
* Web UI integration test driver enhancementAna Krivokapic2013-11-151-0/+2
| | | | | | Handle selecting an option from a select box. https://fedorahosted.org/freeipa/ticket/3928
* Add automember rebuild command to the web UIAna Krivokapic2013-11-155-11/+87
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3928
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-154-8/+9
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
* Add unit tests for automember rebuild commandAna Krivokapic2013-11-151-13/+540
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add a privilege and a permission needed for automember rebuild commandAna Krivokapic2013-11-151-0/+19
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add automember rebuild commandAna Krivokapic2013-11-153-11/+143
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Use EXTERNAL auth mechanism in ldapmodifyAna Krivokapic2013-11-141-10/+10
| | | | | | Default to using the EXTERNAL authorization mechanism in calls to ldapmodify https://fedorahosted.org/freeipa/ticket/3895
* Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skewAlexander Bokovoy2013-11-131-0/+3
| | | | | | | | When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. https://fedorahosted.org/freeipa/ticket/4024
* Fix regression which prevents creating a winsync agreementAna Krivokapic2013-11-131-1/+2
| | | | | | | A regression, which prevented creation of a winsync agreement, was introduced in the original fix for ticket #3989. https://fedorahosted.org/freeipa/ticket/3989
* Server does not detect different server and IPA domainMartin Kosek2013-11-111-7/+11
| | | | | | | | | | | | | | Server installer does not properly recognize a situation when server fqdn is not in a subdomain of the IPA domain, but shares the same suffix. For example, if server FQDN is ipa-idm.example.com and domain is idm.example.com, server's FQDN is not in the main domain, but installer does not recognize that. proper Kerberos realm-domain mapping is not created in this case and server does not work (httpd reports gssapi errors). https://fedorahosted.org/freeipa/ticket/4012
* Remove unused utf8_encode_value functionsPetr Viktorin2013-11-081-12/+0
| | | | | The utf8_encode_value/_values functions from ipautil are no longer used. Remove them.
* Add tests for user auth type managementPetr Viktorin2013-11-082-0/+102
| | | | https://fedorahosted.org/freeipa/ticket/3368
generated by cgit (git 2.34.1) at 2024-07-04 23:42:51 +0000