summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Specify the location for the agent PKCS#12 file so we don't have to move it.Rob Crittenden2013-05-061-3/+1
| | | | | | | Dogtag 10.0.2 changed the default location for this file from /root/.pki to /root/.dogtag which broke our install. https://fedorahosted.org/freeipa/ticket/3599
* Handle a 501 in cert-find from dogtag as a "not supported"Rob Crittenden2013-05-031-0/+4
| | | | | | | | | | | Upgrading from d9 -> d10 does not set up the RESTful interface in dogtag, they just never coded it. Rather than trying to backport things they have decided to not support upgrades. We need to catch this and report a more reasonable error. They are returning a 501 (HTTP method unimplemented) in this case. https://fedorahosted.org/freeipa/ticket/3549
* Fix normalization of FQDNs in DNS installer code.Jan Cholasta2013-05-031-7/+6
| | | | https://fedorahosted.org/freeipa/ticket/3600
* Handle socket.gethostbyaddr() exceptions when verifying hostnames.Rob Crittenden2013-04-241-0/+2
| | | | | | | | | | Log any socket exceptions raised and let the process continue. This failure isn't a show-stopper. Other checks past this will catch any other problems. This was seen when /etc/hosts and /etc/resolv.conf were both empty. https://fedorahosted.org/freeipa/ticket/3581
* Add ipa-ca records for existing CA masters when installing DNS for the first ↵Jan Cholasta2013-04-241-5/+29
| | | | | | time. https://fedorahosted.org/freeipa/ticket/3564
* Add DNS records for existing masters when installing DNS for the first time.Jan Cholasta2013-04-241-41/+85
| | | | https://fedorahosted.org/freeipa/ticket/3564
* Use correct zone when removing DNS records of a master.Jan Cholasta2013-04-181-3/+2
| | | | https://fedorahosted.org/freeipa/ticket/3563
* Update only selected attributes for winsync agreementTomas Babej2013-04-163-13/+18
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Drop --selfsign server functionalityPetr Viktorin2013-04-157-797/+137
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-3/+2
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-153-7/+19
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-152-26/+110
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-152-0/+58
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-124-4/+30
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Full system backup and restoreRob Crittenden2013-04-123-10/+1355
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-024-11/+24
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-025-19/+161
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-022-12/+22
|
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
* Enhance ipa-adtrust-install for domains with multiple IPA serverAlexander Bokovoy2013-04-021-8/+36
| | | | | | | | | | As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. Only these servers will be advertised as SMB domain controllers https://fedorahosted.org/freeipa/ticket/2189
* Normalize RA agent certificateMartin Kosek2013-03-291-1/+4
| | | | | | Certificate parsed out of sslget request to pki-ca was not always properly formatted and it may still contain DOS line ending. Make sure that the certificate is printed with correct line ending.
* Add logging to join commandTomas Babej2013-03-251-6/+20
| | | | | | | | | The following is mentioned in the log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-221-0/+6
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Update named.conf parserMartin Kosek2013-03-141-21/+48
| | | | | | | | Refactor the named.conf parsing and editing functions in bindinstance so that both "dynamic-db" and "options" sections of named.conf can be read and updated https://fedorahosted.org/freeipa/ticket/3429
* Enforce exact SID match when adding or modifying a ID rangeTomas Babej2013-03-141-13/+37
| | | | | | | | SID validation in idrange.py now enforces exact match on SIDs, thus one can no longer use SID of an object in a trusted domain as a trusted domain SID. https://fedorahosted.org/freeipa/ticket/3432
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-132-2/+99
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-139-46/+13
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Move ipaldap to ipapythonPetr Viktorin2013-03-132-1800/+4
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Fix installing server with external CAPetr Viktorin2013-03-082-31/+32
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Disable schema retrieval and attribute decoding when talking to AD GC.Jan Cholasta2013-03-081-5/+2
|
* Allow disabling attribute decoding in LDAPClient and IPAdmin.Jan Cholasta2013-03-081-3/+13
|
* Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.Jan Cholasta2013-03-081-3/+8
|
* Do not fail if schema cannot be retrieved from LDAP server.Jan Cholasta2013-03-081-9/+15
|
* Don't base64-encode the CA cert when uploading it during an upgrade.Rob Crittenden2013-03-071-2/+1
| | | | | | | | We want to store the raw value. Tools like ldapsearch will automatically base64 encode the value because it's binary so we don't want to duplicate that. https://fedorahosted.org/freeipa/ticket/3477
* ipaserver/dcerpc: enforce search_s without schema checks for GC searchingAlexander Bokovoy2013-03-061-1/+1
|
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-014-72/+29
|
* Use full DNs in plugin code.Jan Cholasta2013-03-011-6/+4
|
* Support attributes with multiple names in LDAPEntry.Jan Cholasta2013-03-011-0/+12
|
* Aggregate IPASimpleLDAPObject in LDAPEntry.Jan Cholasta2013-03-012-13/+53
|
* Preserve case of attribute names in LDAPEntry.Jan Cholasta2013-03-011-26/+77
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-012-4/+2
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove some uses of raw python-ldapPetr Viktorin2013-03-014-25/+32
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use IPAdmin rather than raw python-ldap in ipactlPetr Viktorin2013-03-011-2/+3
| | | | | | Add a new init argument, ldap_uri, to IPAdmin to make this possible. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use ldap instead of _ldap in ipaldapPetr Viktorin2013-03-011-47/+47
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-014-13/+4
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.simple_bind_sPetr Viktorin2013-03-013-9/+6
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.sasl_interactive_bind_sPetr Viktorin2013-03-013-13/+6
| | | | | | | Also, rename remaining uses of SASL_AUTH to SASL_GSSAPI to better reflect what it is. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace IPAdmin.start_tls_s by an __init__ argumentPetr Viktorin2013-03-012-11/+11
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
generated by cgit (git 2.34.1) at 2025-08-28 22:42:15 +0000