| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
Require samba 4.0.5 (passdb API changed). Make sure that we use the
right epoch number with samba so that the Requires is correctly
enforced.
Require krb5 1.11.2-1 to fix missing PAC issue.
Also fix backup dir permissions.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to insert nsDS5ReplicatedAttributeListTotal and
nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors.
With this patch, these attributes are skipped for winsync agreements.
Made find_ipa_replication_agreements() in replication.py more
corresponding to find_replication_agreements. It returns list of
entries instead of unicode strings now.
https://fedorahosted.org/freeipa/ticket/3522
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an entry to realmdomains when a DNS zone is added to IPA.
Delete the related entry from realmdomains when the DNS zone is deleted
from IPA.
Add _kerberos TXT record to DNS zone when a new realmdomain is added.
Delete _kerberos TXT record from DNS zone when realmdomain is deleted.
Add unit tests to cover new functionality.
https://fedorahosted.org/freeipa/ticket/3544
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
| |
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
| |
|
|
|
|
|
|
|
|
|
| |
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.
https://fedorahosted.org/freeipa/ticket/3555
|
|
|
|
|
|
|
| |
The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.
https://fedorahosted.org/freeipa/ticket/3523
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.
Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
|
|
|
| |
This reverts commit f7e27b547547be06f511a3ddfaff8db7d0b7898f.
This test was failing because we were adding a permission as a member
of a role before creating the permission, so no memberof was generated.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.
The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.
Now updates are computed and applied in blocks of 10.
https://fedorahosted.org/freeipa/ticket/3377
|
|
|
|
|
|
|
|
|
| |
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.
http://freeipa.org/page/V3/Backup_and_Restore
https://fedorahosted.org/freeipa/ticket/3128
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3503
|
|
|
|
|
|
|
|
|
| |
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.
https://fedorahosted.org/freeipa/ticket/3503
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3552
|
|
|
|
|
|
| |
A commonName attribute has no meaning in DNS records.
https://fedorahosted.org/freeipa/ticket/3514
|
|
|
|
| |
Refactoring of radio widget (04325fbb4c64ee4aef6d8c9adf0ff95b8b653101) caused that value is no longer supplied to value_change handler.
|
|
|
|
|
|
| |
When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding.
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3333
|
|
|
|
|
|
|
| |
As find_entry_by_attr no longer adds $SUFFIX to searched base DN,
trustconfig-mod could not find POSIX group to when validating the
new ipantfallbackprimarygroup value. This patch fixes this
regression.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added flag for each groups type: --posix, --nonposix, --external to group-find command.
Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup
https://fedorahosted.org/freeipa/ticket/3483
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3554
|
|
|
|
|
|
|
|
|
|
|
|
| |
Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set.
Can be reproduced by opening 'Modify Automount maps' permission.
The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong.
Fixed by running target_mapping action only for visible targets.
https://fedorahosted.org/freeipa/ticket/3527
|
|
|
|
|
|
|
| |
Find out Kerberos middle version to infer ABI changes in DAL driver.
We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
| |
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
|
|
|
|
|
|
|
|
|
|
| |
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
|
| |
|
|
|
|
|
|
|
|
|
| |
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
| |
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.
https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
|
|
|
|
|
| |
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
|
|
|
|
|
|
|
|
|
| |
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3536
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
|
|
|
|
| |
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/CA-less_install
https://fedorahosted.org/freeipa/ticket/3363
|
| |
|
|
|
|
|
| |
Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wrapper
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.
In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
|
| |
|