| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4010
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4010
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4053
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
|
|
| |
A single LDAP search is now used instead of one search per member.
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
|
|
| |
Add the server class name, such as [xmlserver] or [jsonserver_kerb] to
the server logs. This will allow easier debugging of problems specific
to a protocol or server class.
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3299
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
|
|
|
|
|
|
| |
When modifying ticket flags add the objectclass to the object if it is missing.
https://fedorahosted.org/freeipa/ticket/3901
|
|
|
|
|
|
|
|
| |
The project's history is kept in Git. We used the spec changelog
for changes to the spec itself, which doesn't make much sense.
Downstreams like Fedora use their own changelog anyway.
A single entry is left for tools that expect a changelog.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4042
|
|
|
|
|
|
|
| |
Creating a LDAPEntry from dict does not set the raw entries,
to display everything we need to combine the underlying data.
https://fedorahosted.org/freeipa/ticket/4015
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4021
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.
In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.
https://fedorahosted.org/freeipa/ticket/4041
|
|
|
|
|
|
| |
Also split the translations in French and Ukraininan
Part of https://fedorahosted.org/freeipa/ticket/3587
|
|
|
|
|
|
|
|
| |
This object will allow splitting large translatable strings into more
pieces, so translators don't have to re-translate the entire text
when a small part changes.
https://fedorahosted.org/freeipa/ticket/3587
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/3504
|
|
|
|
|
|
|
|
|
| |
Add userClass attribute to:
- user and host adder dialogs
- user and host detail facets
Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3590
|
|
|
|
|
|
|
|
|
| |
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.
Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly
if they use inconsistent capitalization.
This patch works around the bug in IPA schema files.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Note: git's --word-diff option is recommended for viewing these changes
|
|
|
|
|
|
| |
Some schema was only delivered in updates. Add it back as ldif files.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new schema updater only compares textual representations of schema
elements, as formatted by python-ldap.
This works well, but it is too strict for the current schema files in two ways:
- For attribute names in MAY and MUST, the correct letter case must be used
- AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if
they are the same as its supertype's.
When these restrictions are not followed, the updater will always overwrite
the schema element. This is harmless but it fills up the log unnecessarily.
Modify the schema files to conform to these restrictions.
Part of the work for https://fedorahosted.org/freeipa/ticket/3454
Note: git's --word-diff option is recommended for viewing these changes
|
|
|
|
|
|
|
| |
Now that there's a dedicated schema updater, we do not need the code
in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
| |
As schema is now handled by the schema updater, these entries
are superfluous.
https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
| |
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
| |
The connection code will be the same for both the LDAP updater
and the new schema updater.
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
| |
Part of ticket https://fedorahosted.org/freeipa/ticket/3821
|
|
|
|
|
|
|
|
|
| |
Option --configure-firefox configures firefox to use Kerberos
credentials within IPA domain
Optional option --firefox-dir=DIR allows to user to specify non-standard
path where firefox install directory is placed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3928
|
|
|
|
|
|
| |
Handle selecting an option from a select box.
https://fedorahosted.org/freeipa/ticket/3928
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3928
|
|
|
|
|
|
| |
Also fix object_name and object_name_plural for automember rules.
https://fedorahosted.org/freeipa/ticket/2708
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new command to IPA CLI: ipa automember-rebuild
The command integrates the automember rebuild membership task functionality
into IPA CLI. It makes it possible to rebuild automember membership for
groups/hostgroups.
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
|
|
|
|
|
|
| |
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify
https://fedorahosted.org/freeipa/ticket/3895
|
|
|
|
|
|
|
|
| |
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.
https://fedorahosted.org/freeipa/ticket/4024
|
|
|
|
|
|
|
| |
A regression, which prevented creation of a winsync agreement,
was introduced in the original fix for ticket #3989.
https://fedorahosted.org/freeipa/ticket/3989
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.
For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).
https://fedorahosted.org/freeipa/ticket/4012
|
|
|
|
|
| |
The utf8_encode_value/_values functions from ipautil are no longer used.
Remove them.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3368
|