summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become 3.2.0 Beta 1beta_1-3-2-0Rob Crittenden2013-04-161-2/+2
|
* Require new samba and krb5Martin Kosek2013-04-161-4/+9
| | | | | | | | | | Require samba 4.0.5 (passdb API changed). Make sure that we use the right epoch number with samba so that the Requires is correctly enforced. Require krb5 1.11.2-1 to fix missing PAC issue. Also fix backup dir permissions.
* Update only selected attributes for winsync agreementTomas Babej2013-04-165-17/+33
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Integrate realmdomains with IPA DNSAna Krivokapic2013-04-164-1/+248
| | | | | | | | | | | | | Add an entry to realmdomains when a DNS zone is added to IPA. Delete the related entry from realmdomains when the DNS zone is deleted from IPA. Add _kerberos TXT record to DNS zone when a new realmdomain is added. Delete _kerberos TXT record from DNS zone when realmdomain is deleted. Add unit tests to cover new functionality. https://fedorahosted.org/freeipa/ticket/3544
* Drop --selfsign server functionalityPetr Viktorin2013-04-1510-808/+140
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-156-13/+8
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-154-8/+43
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.Jan Cholasta2013-04-151-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-156-53/+142
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Update translations from TransifexPetr Viktorin2013-04-1518-5902/+7895
|
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-153-5/+58
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* ipa-server-install: correct help text for --external_{cert,ca}_filePetr Viktorin2013-04-152-7/+7
| | | | | | | The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-129-256/+86
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Remove any reference to HBAC source hosts from helpAna Krivokapic2013-04-122-12/+10
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Remove HBAC source hosts from web UIAna Krivokapic2013-04-123-94/+0
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Revert "Fix permission_find test error"Rob Crittenden2013-04-121-0/+1
| | | | | | | This reverts commit f7e27b547547be06f511a3ddfaff8db7d0b7898f. This test was failing because we were adding a permission as a member of a role before creating the permission, so no memberof was generated.
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-125-8/+49
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Full system backup and restoreRob Crittenden2013-04-1212-133/+1648
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Add missing summary message to dnszone_delAna Krivokapic2013-04-112-4/+6
| | | | https://fedorahosted.org/freeipa/ticket/3503
* Fix output for some CLI commandsAna Krivokapic2013-04-115-19/+21
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-102-1/+2
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Fix regression in group type selection in group adder dialogPetr Vobornik2013-04-101-4/+3
| | | | Refactoring of radio widget (04325fbb4c64ee4aef6d8c9adf0ff95b8b653101) caused that value is no longer supplied to value_change handler.
* Don't show trusts pages when trust is not configuredPetr Vobornik2013-04-103-2/+49
| | | | | | When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding. https://fedorahosted.org/freeipa/ticket/3333
* Global trust config pagePetr Vobornik2013-04-107-3/+259
| | | | https://fedorahosted.org/freeipa/ticket/3333
* Fix trustconfig-mod primary group errorMartin Kosek2013-04-101-1/+1
| | | | | | | As find_entry_by_attr no longer adds $SUFFIX to searched base DN, trustconfig-mod could not find POSIX group to when validating the new ipantfallbackprimarygroup value. This patch fixes this regression.
* Fix two failing tests due to missing krb ticket flagsRob Crittenden2013-04-091-0/+4
|
* Filter groups by type (POSIX, non-POSIX, external)Petr Vobornik2013-04-095-3/+151
| | | | | | | | | | | Added flag for each groups type: --posix, --nonposix, --external to group-find command. Group types: * non-POSIX: not posix, not external * POSIX: with objectclass posixgroup * external: with objectclass ipaexternalgroup https://fedorahosted.org/freeipa/ticket/3483
* Do actually stop pki_cad in stop_pkicad instead of starting it.Jan Cholasta2013-04-091-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3554
* Run permission target switch action only for visible widgetsPetr Vobornik2013-04-051-1/+1
| | | | | | | | | | | | Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set. Can be reproduced by opening 'Modify Automount maps' permission. The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong. Fixed by running target_mapping action only for visible targets. https://fedorahosted.org/freeipa/ticket/3527
* spec: detect Kerberos DAL driver ABI change from installed krb5-develAlexander Bokovoy2013-04-041-2/+10
| | | | | | | Find out Kerberos middle version to infer ABI changes in DAL driver. We cannot load DAL driver into KDC with wrong ABI. This is also needed to support ipa-devel repository where krb5 1.11 is available for Fedora 18.
* Add ipakrbokasdelegate option to service and host Web UI pagesPetr Vobornik2013-04-048-5/+45
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* Display full command documentation in online helpPetr Viktorin2013-04-032-1/+28
| | | | | | | | | | ipa <command> -h only showed the summary string, not the full help. Use the full docstring. Add a custom help formatter that disables optparse's reformatting. Test included https://fedorahosted.org/freeipa/ticket/3543
* Become 3.2.0 Prerelease 1release-3-2-0-pre1Martin Kosek2013-04-021-3/+3
|
* Improve DNAME record validationMartin Kosek2013-04-022-12/+102
| | | | | | | | | Extend DNS RR conflict check and forbid DNAME+NS combination unless it is done in root DNS zone record. Add tests to verify this enforced check. https://fedorahosted.org/freeipa/ticket/3449
* Improve CNAME record validationMartin Kosek2013-04-022-40/+41
| | | | | | | | | | | Refactor DNS RR conflict validator so that it is better extensible in the future. Also check that there is only one CNAME defined for a DNS record. PTR+CNAME record combination is no longer allowed as we found out it does not make sense to have this combination. https://fedorahosted.org/freeipa/ticket/3450
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-022-2/+4
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Require 389-base-base 1.3.0.5Martin Kosek2013-04-021-1/+8
| | | | | | | | | Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540
* Properly handle ipa-replica-install when its zone is not managed by IPATomas Babej2013-04-021-6/+16
| | | | | | | | | The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Web UI: Disable cert functionality if a CA is not availablePetr Vobornik2013-04-021-11/+13
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* ipa-client-install: Do not request host certificate if server is CA-lessPetr Viktorin2013-04-021-10/+37
| | | | https://fedorahosted.org/freeipa/ticket/3536
* Do not call cert-* commands in host plugin if a RA is not availablePetr Viktorin2013-04-021-76/+87
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-026-15/+32
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-027-31/+217
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-022-12/+22
|
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
* Remove unused ipapython.certdb.CertDB classPetr Viktorin2013-04-021-127/+0
|
generated by cgit (git 2.34.1) at 2024-05-08 03:55:57 +0000