summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA 3.0.1release-3-0-1Rob Crittenden2012-11-091-1/+1
|
* Disable global forwarding per-zoneMartin Kosek2012-11-094-8/+27
| | | | | | | | | | | bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
* Do not require resolvable nameserver in DNS installMartin Kosek2012-11-091-7/+5
| | | | | | | | As named.conf and bind-dyndb-plugin is not set up yet during DNS configuration phase, IPA hostname (i.e. the nameserver) should not be required be to resolvable in this phase. https://fedorahosted.org/freeipa/ticket/3248
* ipa-adtrust-install: allow to reset te NetBIOS domain nameSumit Bose2012-11-083-22/+117
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3192
* Handle the case where there are no replicas with list-ruvRob Crittenden2012-11-071-10/+11
| | | | | | | This assumed that at least was returned by LDAP. This is not the case if no replicas have ever been created. https://fedorahosted.org/freeipa/ticket/3229
* Process relative nameserver DNS record correctlyMartin Kosek2012-11-065-36/+224
| | | | | | | | | | | | | | | | | | | | | | | Nameserver hostname passed to dnszone_add command was always treated as FQDN even though it was a relative DNS name to the new zone. All relative names were being rejected as unresolvable. Modify --name-server option processing in dnszone_add and dnszone_mod to respect FQDN/relative DNS name and do the checks accordingly. With this change, user can add a new zone "example.com" and let dnszone_add to create NS record "ns" in it, when supplied with its IP address. IP address check is more strict so that it is not entered when no forward record is created. Places misusing the option were fixed. Nameserver option now also accepts zone name, which means that NS and A record is placed to DNS zone itself. Also "@" is accepted as a nameserver name, BIND understand it also as a zone name. As a side-effect of this change, other records with hostname part (MX, KX, NS, SRV) accept "@" as valid hostname. BIND replaces it with respective zone name as well. Unit tests were updated to test the new format. https://fedorahosted.org/freeipa/ticket/3204
* Clarify trust-add help regarding multiple runs against the same domainAlexander Bokovoy2012-11-021-3/+25
| | | | | | | | Since trust-add re-establishes the trust every time it is run and all the other information fetched from the remote domain controller stays the same, it can be run multiple times. The only change would occur is update of trust relationship credentials -- they are supposed to be updated periodically by underlying infrastructure anyway.
* Set MLS/MCS for user_u context to what will be on remote systems.Rob Crittenden2012-11-022-2/+2
| | | | | | | The user_u context in the default list was broader than is actually configured by default on systems. https://fedorahosted.org/freeipa/ticket/3224
* Reword description of the --passsync option of ipa-replica-manage.Jan Cholasta2012-11-022-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/3208
* Resolve external members from trusted domain via Global CatalogAlexander Bokovoy2012-11-013-26/+258
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Save service name on service startup/shutdownSimo Sorce2012-11-014-0/+50
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipactl to stop only and all the services that have been started by any ipa tool/install script
* Revert "Save service name on service startup"Simo Sorce2012-11-014-29/+0
| | | | | | | This reverts commit f5805379277d0d9a2685aba69db49c95a36a6d1f. This was an olde version of the patch, next commit will put in the acked version.
* Wait for the directory server to come up when updating the agent certificate.Rob Crittenden2012-11-012-31/+73
| | | | | | | | | | It is possible that either or both of the LDAP instances are being restarted during the renewal process. Make the script retry if this is the case. It is also safe to re-run this script if it fails. It will take the current ipaCert certificate and attempt to update the agent information in LDAP. https://fedorahosted.org/freeipa/ticket/3179
* Get list of service from LDAP only at startupSimo Sorce2012-11-013-55/+161
| | | | | | | | | | We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown.
* Save service name on service startupSimo Sorce2012-11-014-0/+29
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipacl to stop only and all the services that have been started by any ipa tool/install script
* Preserve original service_name in servicesSimo Sorce2012-11-012-15/+16
| | | | | | | | | This is needed to be able to reference stuff always wth the same name. The platform specific private name must be kept in a platform specific variable. In the case of systemd we store it in systemd_name For the redhat platform wellknown names and service name are the same so currently no special name is needed.
* After unininstall see if certmonger is still tracking any of our certs.Rob Crittenden2012-11-012-1/+45
| | | | | | | | | | | | | | Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702
* Use common encoding in modlist generationMartin Kosek2012-11-011-0/+16
| | | | | | | | | | | ldap2 server plugin generates a modlist for every IPA command entry modification. However, encoding of attributes entry_attrs generated by our framework still does not match entry read from LDAP (until ticket #2265 is addressed), convert compared values to common ground so that the comparison does not report false positives when encoding do not match (e.g. 'int' and 'unicode'). https://fedorahosted.org/freeipa/ticket/3220
* IPA Server check in ipa-replica-manageTomas Babej2012-10-312-1/+62
| | | | | | | | | | When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105
* Restart httpd if ipa-server-trust-ad is installed or updatedSumit Bose2012-10-311-0/+14
| | | | | | | | If ipa-server-trust-ad is installed after the ipa server is installed and configured, httpd needs a restart for additional python modules to be loaded into httpd on IPA initialization. Fixes https://fedorahosted.org/freeipa/ticket/3185
* The SECURE_NFS value needs to be lower-case yes on SysV systems.Rob Crittenden2012-10-261-1/+1
| | | | | | | | The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ]. This also works as lower case for system so a simple fix. https://fedorahosted.org/freeipa/ticket/3207
* Remove servertrls and clientctrls options from rename_sMartin Kosek2012-10-261-2/+5
| | | | | | | | | | python-ldap of version 2.3.10 and lower does not support serverctrls and clientctrls fir rename_s operation. Do not use these options until really needed. In that time, we may put a requirement in place, that minimal python-ldap version is 2.3.11. Also add a notice explaining why we did this change. https://fedorahosted.org/freeipa/ticket/3199
* Avoid uninstalling dependencies during package lifetimeMartin Kosek2012-10-252-3/+8
| | | | | | | | | | Requires(pre) only guarantees that package will be present before package scriptlets are run. However, the package can be removed after installation is finished without removing also IPA. Add standard Requires for these dependencies. Remove PRE version number from VERSION. This update and following is done on a top of IPA 3.0.0 GA.
* ipa-client-automount: Add the autofs service if it doesn't exist yetJakub Hrozek2012-10-251-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3201
* Close connection after each request, avoid NSS shutdown problem.Rob Crittenden2012-10-242-5/+30
| | | | | | | The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180
* Fixed incorrect link to browser config after session expirationPetr Vobornik2012-10-242-2/+2
| | | | | | Fixed typo in message placeholder. https://fedorahosted.org/freeipa/ticket/3187
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-233-61/+162
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* ipa-replica-install: Use configured IPA DNS servers in forward/reverse ↵Petr Viktorin2012-10-231-8/+22
| | | | | | | | | | | | | | resolution check Previously, ipa-replica-install tried to check DNS resolution on the master being cloned. If that master was not a DNS server, the check failed. Change the check to query the first available configured DNS server. Log about the check before actually running it. Log in the case the check is skipped (no IPA DNS servers installed). https://fedorahosted.org/freeipa/ticket/3194
* Improve error messages in ipa-replica-manage.Rob Crittenden2012-10-231-8/+14
| | | | | | | | | | | | | Correctly handle case where we bind using GSSAPI with an unauthorized user. Remove extraneous except clause. We now have handle for LDAP errors. Make it explicit in a few places what server we can't connect to. When the remote replica is down and we are forcing its removal, remove a duplicate entry from the list of servers to remove. https://fedorahosted.org/freeipa/ticket/2871
* Make service naming in ipa-server-install consistentTomas Babej2012-10-2210-27/+86
| | | | | | | | | | | | | Forces more consistency into ipa-server-install output. All descriptions of services that are not instances of SimpleServiceInstance are now in the following format: <Description> (<Service Name>) Furthermore, start_creation method has been modified to support custom start and end messages. See documentation for more info. https://fedorahosted.org/freeipa/ticket/3059
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Report ipa-upgradeconfig errors during RPM upgradeMartin Kosek2012-10-183-4/+20
| | | | | | | | | | | | | Report errors just like with ipa-ldap-updater. These messages should warn user that some parts of the upgrades may have not been successful and he should follow up on them. Otherwise, user may not notice them at all. ipa-upgradeconfig now has a new --quiet option to make it output only error level log messages or higher. ipa-upgradeconfig run without options still pring INFO log messages as it can provide a clean overview about its actions (unlike ipa-ldap-updater). https://fedorahosted.org/freeipa/ticket/3157
* Add fallback for httpd restarts on sysV platformsMartin Kosek2012-10-181-0/+17
| | | | | | | | | | | | httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965
* Create reverse zone in unattended modeMartin Kosek2012-10-192-2/+6
| | | | | | | | | Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure that reverse zone is created also in unattended mode (unless --no-reverse is specified). https://fedorahosted.org/freeipa/ticket/3161
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-192-2/+2
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* log dogtag errorsJohn Dennis2012-10-191-20/+48
| | | | | | | | | | | | If we get an error from dogtag we always did raise a CertificateOperationError exception with a message describing the problem. Unfortuanately that error message did not go into the log, just sent back to the caller. The fix is to format the error message and send the same message to both the log and use it to initialize the CertificateOperationError exception. This is done in the utility method raise_certificate_operation_error(). https://fedorahosted.org/freeipa/ticket/2622
* Forbid overlapping primary and secondary rid rangesTomas Babej2012-10-192-20/+211
| | | | | | | | | | | Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
* ipautil.run: Log the command line before running the commandPetr Viktorin2012-10-171-6/+11
| | | | | | | | When the user interrupts a long-running command, this ensures that the command is logged. Also, when watching log files (or the -d output), it's apparent what's being done. https://fedorahosted.org/freeipa/ticket/3174
* extdom: handle INP_POSIX_UID and INP_POSIX_GID requestsSumit Bose2012-10-181-6/+32
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3166
* Fix various issues found by CoveritySumit Bose2012-10-176-12/+22
|
* Add support for using AES fo cross-realm TGTsSimo Sorce2012-10-171-1/+10
|
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Don't configure a reverse zone if not desired in interactive installer.Rob Crittenden2012-10-172-3/+3
| | | | | | | | A reverse zone was always configured in the interactive installer even if you answered "no" to the reverse zone question. The only way to not confiugre it was the --no-reverse option. https://fedorahosted.org/freeipa/ticket/3161
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-163-7/+11
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Remove bogus check for smbpasswdAlexander Bokovoy2012-10-161-2/+2
| | | | | | | | We don't use smbpasswd when configuring IPA for AD trusts anymore because we switched to use Kerberos authentication in IPA passdb backend based on CIFS service keytab. https://fedorahosted.org/freeipa/ticket/3181
* Use TLS for CA replicationRob Crittenden2012-10-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3162
* Become IPA 3.0.0release-3-0-0Rob Crittenden2012-10-111-1/+1
|
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Add instructions support to PublicErrorAlexander Bokovoy2012-10-112-9/+29
| | | | | | | | | | | | | | | When long additional text should follow the error message, one can supply instructions parameter to a class derived from PublicError. This will cause following text added to the error message: Additional instructions: <additional text> `instructions' optional parameter could be a list or anything that coerces into unicode(). List entries will be joined with '\n'. https://fedorahosted.org/freeipa/ticket/3167
generated by cgit (git 2.34.1) at 2024-05-04 19:11:10 +0000