freeipa.git - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
...
*	Allow overriding all attributes of default permissions	Petr Viktorin	2014-04-09	1	-12/+40
\| \| \| \| \| \| \| \| \| \| \| \|	Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation, objectclass of default managed permissions. This allows defining permissions that are not tied to an object type. Default values are same as before. Also, do not reset ipapermbindruletype when updating an existing managed permission. Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Document the managed permission updater operation	Petr Viktorin	2014-04-09	1	-0/+34
\| \| \| \| \| \| \| \| \|	The method was explained on the [Design] page, but as the updater is extended the design page would become obsolete. Document the operation in the docstring of the plugin itself. Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Fix upload of CA certificate to LDAP in CA-less install.	Jan Cholasta	2014-04-08	1	-1/+4
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4300 Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Remove unused method is_master of CAInstance.	Jan Cholasta	2014-03-25	1	-15/+0
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Use the same certmonger configuration for both CA masters and clones.	Jan Cholasta	2014-03-25	1	-92/+44
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Merge restart_httpd functionality to renew_ra_cert.	Jan Cholasta	2014-03-25	1	-1/+1
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.	Jan Cholasta	2014-03-25	1	-1/+1
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.	Jan Cholasta	2014-03-25	1	-4/+2
\| \| \| \| \| \| \|	On CA masters, a certificate is requested and stored to LDAP. On CA clones, the certificate is retrieved from LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Store information about which CA server is master for renewals in LDAP.	Jan Cholasta	2014-03-25	4	-2/+97
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Use dogtag-ipa-ca-renew-agent to track certificates on master CA.	Jan Cholasta	2014-03-25	1	-14/+23
\| \| \| \| \| \| \| \| \|	Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.	Jan Cholasta	2014-03-25	1	-10/+24
\| \| \| \| \| \|	Before, this was done by dogtag-ipa-retrieve-agent-submit. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Use certmonger D-Bus API to configure certmonger in CA install.	Jan Cholasta	2014-03-25	1	-14/+24
\| \| \| \| \| \|	Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Show progress when enabling SSL in DS in ipa-server-install output.	Jan Cholasta	2014-03-25	1	-3/+12
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Remove unused method export_ca_cert of dsinstance.	Jan Cholasta	2014-03-25	1	-5/+0
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Upload CA certificate from DS NSS database in CA-less server install.	Jan Cholasta	2014-03-25	1	-9/+4
\| \| \| \| \| \| \| \| \| \|	Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Use LDAP API to upload CA certificate instead of ldapmodify command.	Jan Cholasta	2014-03-25	1	-5/+18
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Move CACERT definition to a single place.	Jan Cholasta	2014-03-25	9	-11/+13
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Fix certificate renewal scripts to work with separate CA DS instance.	Jan Cholasta	2014-03-25	1	-18/+42
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/3805 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Add Object metadata and update plugin for managed permissions	Petr Viktorin	2014-03-25	1	-0/+160
\| \| \| \| \| \| \| \|	The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	ipaserver.install.service: Fix estimated time display	Petr Viktorin	2014-03-13	1	-13/+17
\| \| \| \| \| \| \| \| \| \|	Use basic math rather than timezone conversion to get minutes and seconds. Break out the message generation into a small tested function. https://fedorahosted.org/freeipa/ticket/4242 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
*	ipaserver/dcerpc: make sure to always return unicode SID of the trust domain	Alexander Bokovoy	2014-03-12	1	-1/+1
\| \| \| \| \| \| \| \| \| \|	Trusted domain SID could be obtained through different means. When it is fetched from the AD DC via LDAP, it needs to be extracted from a default context and explicitly converted to unicode. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Support OTP in form based auth	Petr Vobornik	2014-03-12	1	-6/+32
\| \| \| \| \| \| \| \|	OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
*	ipa-replica-install never checks for 7389 port	Martin Kosek	2014-03-11	2	-7/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	adtrustinstance: make sure to stop and disable winbind in uninstall()	Alexander Bokovoy	2014-02-28	1	-2/+5
\| \| \| \|	Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	ipaserver/dcerpc: catch the case of insuffient permissions when establishing ↵	Alexander Bokovoy	2014-02-27	1	-2/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	trusts: Remove usage of deprecated LDAP API	Tomas Babej	2014-02-27	1	-2/+2
\| \| \| \| \| \| \| \| \|	Remove a reference to the old deprecated LDAP API invoked by the usage of trust_add method. https://fedorahosted.org/freeipa/ticket/4204 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
*	bindinstance: make sure zone manager is initialized in add_master_dns_records	Alexander Bokovoy	2014-02-26	1	-0/+1
\| \| \| \| \| \| \| \| \|	Bind instance is configured using a short-circuited way when replica is set up. Make sure required properties are in place for that. https://fedorahosted.org/freeipa/ticket/4186 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Always use real entry DNs for memberOf in ldap2.	Jan Cholasta	2014-02-24	1	-1/+1
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Clarify error message about missing DNS component in ipa-replica-prepare.	Petr Spacek	2014-02-21	1	-2/+5
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Add OTP last token plugin	Nathaniel McCallum	2014-02-21	1	-0/+4
\| \| \| \| \| \| \| \| \| \|	This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
*	Add HOTP support	Nathaniel McCallum	2014-02-21	1	-1/+1
\| \| \| \|	Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
*	ipa tool: Print the name of the server we are connecting to with -v	Petr Viktorin	2014-02-05	1	-0/+5
\| \| \| \| \| \| \| \| \| \| \| \| \|	The logging level for these messages was decreaed so that they do not show up in ipa-advise output. Reset the log level to INFO and configure ipa-advise to not display INFO messages from xmlclient by default. Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be https://fedorahosted.org/freeipa/ticket/4135 Reviewed-By: Tomáš Babej <tbabej@redhat.com>
*	Remove working directory for bind-dyndb-ldap plugin.	Petr Spacek	2014-01-27	1	-13/+0
\| \| \| \| \| \| \| \| \|	The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
*	Convert remaining frontend code to LDAPEntry API.	Jan Cholasta	2014-01-24	1	-9/+9
\|
*	Convert remaining update code to LDAPEntry API.	Jan Cholasta	2014-01-24	8	-28/+25
\|
*	Convert remaining installer code to LDAPEntry API.	Jan Cholasta	2014-01-24	3	-21/+22
\|
*	Implement XML introspection	Petr Viktorin	2014-01-14	1	-6/+51
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2937
*	rpcserver: Consolidate __call__ in xmlclient and jsonclient_kerb	Petr Viktorin	2013-12-10	1	-54/+34
\| \| \| \| \| \| \| \| \|	The two classes had very similar __call__ methods, but the JSON server lacked error handling. Create a common class for the __call__ method. https://fedorahosted.org/freeipa/ticket/4069
*	httpd should destroy all CCACHEs	Martin Kosek	2014-01-22	1	-1/+1
\| \| \| \| \| \| \| \|	Use "kdestroy -A" command to destroy all CCACHEs, both the primary and the non-primary ones to make sure that the non-primary ones are not used later. https://fedorahosted.org/freeipa/ticket/4084
*	Switch httpd to use default CCACHE	Martin Kosek	2014-01-22	1	-19/+3
\| \| \| \| \| \| \| \| \| \| \| \| \|	Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
*	ipa-adtrust-install: configure host netbios name by default	Alexander Bokovoy	2014-01-20	1	-0/+3
\| \| \| \| \| \|	Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
*	Treat error during write to /etc/resolv.conf as non-fatal.	Petr Spacek	2014-01-16	1	-5/+8
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/4110
*	Do not start the service in stopped_service if it was not running before.	Jan Cholasta	2014-01-15	1	-3/+0
\| \| \| \|	This fixes a possible NSS database corruption in renew_ca_cert.
*	ipaserver/install/installutils: clean up properly after yield	Alexander Bokovoy	2014-01-15	1	-11/+14
\| \| \| \| \|	When a context to which we yield generates exception, the code in private_ccache() and stopped_service() didn't get called for cleanup.
*	Enable Retro Changelog and Content Synchronization DS plugins	Ana Krivokapic	2014-01-14	1	-0/+13
\| \| \| \| \| \| \| \| \|	Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
*	Use raw LDAP data in ldapupdate.	Jan Cholasta	2014-01-10	1	-23/+7
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3488
*	Store old entry state in dict rather than LDAPEntry.	Jan Cholasta	2014-01-10	1	-2/+2
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3488
*	Remove legacy LDAPEntry properties data and orig_data.	Jan Cholasta	2014-01-10	2	-8/+4
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3488
*	Add LDAPEntry method generate_modlist.	Jan Cholasta	2014-01-10	2	-2/+2
\| \| \| \| \| \| \|	Use LDAPEntry.generate_modlist instead of LDAPClient._generate_modlist and remove LDAPClient._generate_modlist. https://fedorahosted.org/freeipa/ticket/3488
*	Reduce amount of LDAPEntry.reset_modlist calls in ldapupdate.	Jan Cholasta	2014-01-10	1	-8/+4
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/3488