| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now the list of available advices is neatly formatted:
-------------------------
List of available advices
-------------------------
config-fedora-authconfig : Authconfig instructions for configuring Fedora
18/19 client with IPA server without use of SSSD.
The advice header printing has been reformatted to conform with the changes.
|
| |
|
|
|
| |
The comments logged through AdviceLogger are now wrapped up to 70
characters. This change has been documented in the docstrings.
|
| | |
|
| |
|
|
|
|
|
|
| |
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
|
| |
|
|
|
|
|
|
|
|
|
| |
In DomainValidator, we store a dictionary containing information
for trusted domains. This is a case-sensitive dictionary keyed by
the domain name.
We need to use case-insensitive dictionary since domain names
are generally case-insensitive.
https://fedorahosted.org/freeipa/ticket/3816
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If stdin is a TTY, ipaserver.install.installutils uses getpass and all
is well. Without a TTY, though, there were two problems:
* The prompt was not printed
* On end of file, an empty string was returned, which caused read_password
to enter an infinite loop.
Fix both problems.
https://fedorahosted.org/freeipa/ticket/3824
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.
Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).
https://fedorahosted.org/freeipa/ticket/3817
|
| |
|
|
|
|
|
|
| |
Regenerate the POT file and pull new translations from Transifex.
Also, update the Transifex URL in the configuration file:
transifex.net has redirected to transifex.com for some time,
and now its certificate has expired.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3759
|
| |
|
|
| |
This makes the tests pass.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3793
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the interactive prompts interpret the following logic:
- AD range (dom-sid/dom-name set):
require RID base if not set
- local range(dom-sid/dom-name not set):
a) server with adtrust support:
require both RID base and secondary RID base
b) server without adtrust support:
if any of RID base, secondary RID base set,
require both of them
https://fedorahosted.org/freeipa/ticket/3786
|
| |
|
|
|
|
| |
One find_entry_by_attr call did not set a search base leading to
LDAP search call with zero search base. This leads to false negative
results from LDAP.
|
| |
|
|
|
|
|
|
| |
When converting the result obtained by python-ldap library,
we need to skip unresolved referral entries, since they cannot
be converted.
https://fedorahosted.org/freeipa/ticket/3814
|
| |
|
|
|
|
|
| |
* variables with python build-in names renamed
* unused parameters used or removed
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
| |
Tests modified to comply with PEP8 rules with exception of rule E501 (long lines).
Done by autopep8 tool and 2 manual modifications.
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
| |
Heavily inspired by code from xmlrpc tests.
To obtain ranges, this patch also adds method to execute FreeIPA command through Web UI.
It uses Web UI instead of ipalib so it doesn't need to care about authentication on a test-runner machine.
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
|
| |
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.
Properly freeing the NSS objects avoid this crash.
https://fedorahosted.org/freeipa/ticket/3773
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3811
|
| |
|
|
| |
Variable was set, but it was not used.
|
| | |
|
| |
|
|
| |
warning: passing argument from incompatible pointer type
|
| |
|
|
|
|
|
| |
Add ldap_connect() method to Host to allow executing querying LDAP from tests.
Use information in the mapping tree to poll until all replication is finished
(or failing) before checking that entries replicated successfully.
|
| | |
|
| |
|
|
|
| |
The beakerLib plugin collects log files via compressed tarballs,
so these dependencies are needed
|
| |
|
|
|
|
|
| |
This script makes common testing tasks such as IPA installation
and uninstallation available outside of Python.
https://fedorahosted.org/freeipa/ticket/3721
|
| |
|
|
|
|
|
| |
This allows a cluster of replicas and clients to be installed
in a named topology.
Several named topologies are available (star, line, complete, tree,
tree2) and new ones can be defined as a simple function.
|
| |
|
|
|
|
|
|
| |
- install_client
- connect_replica
- disconnect_replica
- prepare_host
- kinit_admin
|
| |
|
|
|
| |
For complex topologies the CA needs to be available on most
replicas, since only servgers with a CA can prepare replica files.
|
| |
|
|
| |
This allows collecting logs when a test context is not available.
|
| |
|
|
| |
This allows reusing the code elsewhere
|
| |
|
|
|
|
|
|
|
|
| |
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.
Both freeipa-server and freeipa-client require freeipa-python.
https://fedorahosted.org/freeipa/ticket/3808
|
| | |
|
| |
|
|
| |
Pick up latest SSSD 1.11 Beta development
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
| |
|
|
| |
No other param/field has 'field' in a label.
|
| |
|
|
| |
Long words (ie. service principal) breaks out of notification area. It doesn't look good. Patch adds word-wrap to break them to multiple pieces.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.
https://fedorahosted.org/freeipa/ticket/3803
|
| |
|
|
|
|
|
|
|
|
| |
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.
For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
| |
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
|
