| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.
https://fedorahosted.org/freeipa/ticket/3915
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files
https://fedorahosted.org/freeipa/ticket/3855
|
|
|
|
|
|
|
|
|
| |
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
|
|
|
|
|
|
|
|
|
|
| |
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.
Also make sure that this value is preserved on upgrades.
https://fedorahosted.org/freeipa/ticket/3783
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3749
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3765
|
|
|
|
|
|
| |
This fixes an outstanding permissions issue from the OTP work.
https://fedorahosted.org/freeipa/ticket/3693
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3743
|
|
|
|
|
|
|
|
| |
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
|
|
| |
Assign a default priority of 10 to our SASL mappings.
https://fedorahosted.org/freeipa/ticket/3330
|
|
|
|
|
|
|
| |
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.
https://fedorahosted.org/freeipa/ticket/3739
|
|
|
|
|
|
|
|
|
|
| |
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
|
|
|
|
|
|
|
|
|
|
| |
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
|
|
|
|
|
|
|
|
|
|
| |
This schema addition will be useful for future commits. It allows us to
define permitted external authentication methods on both the user and
global config. The implementation is generic, but the immediate usage
is for otp support.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update
This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.
The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).
https://fedorahosted.org/freeipa/ticket/3578
|
|
|
|
|
|
|
| |
dc syntax is changed from Directory String to IA5 String to conform
to RFC 2247.
Part of the work for https://fedorahosted.org/freeipa/ticket/3578
|
|
|
|
|
|
|
|
|
| |
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.
Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
|
|
| |
A commonName attribute has no meaning in DNS records.
https://fedorahosted.org/freeipa/ticket/3514
|
|
|
|
|
|
|
|
| |
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.
https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
|
| |
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Ranges
https://fedorahosted.org/freeipa/ticket/3321
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
|
|
|
|
|
|
|
| |
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.
https://fedorahosted.org/freeipa/ticket/3437
|
|
|
|
|
|
|
| |
We did not have the includedir directory with a trailing slash which made
rpm update add a redundant line.
https://fedorahosted.org/freeipa/ticket/3132
|
|
|
|
|
|
|
|
| |
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
|
|
|
|
|
|
|
|
| |
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
|
|
|
|
|
|
|
|
| |
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
| |
Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.
|
|
|
|
|
| |
This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3132
|
|
|
|
|
|
|
|
| |
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.
This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
|
|
|
|
|
|
|
|
|
|
|
|
| |
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|
|
|
|
|
|
|
| |
The user_u context in the default list was broader than is actually
configured by default on systems.
https://fedorahosted.org/freeipa/ticket/3224
|
|
|
|
|
|
|
|
| |
This should work with 389-ds-base 1.2.x and 1.3.0.
Without other plugin changes 389-ds-base can deadlock.
https://fedorahosted.org/freeipa/ticket/3046
|
|
|
|
|
|
|
|
|
|
|
| |
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.
This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.
https://fedorahosted.org/freeipa/ticket/3041
|
|
|
|
|
|
|
|
|
| |
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.
https://fedorahosted.org/freeipa/ticket/3017
|
|
|
|
|
|
|
|
| |
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.
https://fedorahosted.org/freeipa/ticket/3147
|
|
|
|
|
|
|
|
|
|
| |
Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.
Fixes https://fedorahosted.org/freeipa/ticket/3147
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
|
|
|
|
|
|
|
|
|
|
|
|
| |
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.
Add both indexes to new and updated IPA installs.
https://fedorahosted.org/freeipa/ticket/3020
https://fedorahosted.org/freeipa/ticket/3025
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2515
|