summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-264-70/+33
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Fix python syntax in ipa-client-automountRob Crittenden2012-09-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3081
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-242-2/+11
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Check direct/reverse hostname/address resolution in ipa-replica-installPetr Viktorin2012-09-201-19/+141
| | | | | | | | | | | | | Forward and reverse resolution of the newly created replica is already checked via get_host_name (which calls verify_fqdn). Add the same check for the existing master. Additionally, if DNS is installed on the remote host, check forward and reverse resolution of both replicas using that DNS only (ignoring /etc/hosts). These checks give only warnings and, in interactive installs, a "Continue?" prompt. https://fedorahosted.org/freeipa/ticket/2845
* Update krb5.conf during ipa-adtrust-installSumit Bose2012-09-191-0/+62
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-195-3/+8
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Improves sssd.conf handling during ipa-client uninstallTomas Babej2012-09-202-17/+110
| | | | | | | | | | | | | | | | | | | | | | | The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Use correct Dogtag port in ipaserver.install.certsPetr Viktorin2012-09-201-2/+2
| | | | | On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong port number. Fix that.
* SSHPublicKey.fingerprint_dns_sha1 should return unicode value.Jan Cholasta2012-09-201-1/+1
|
* Fix idrange plugin helpMartin Kosek2012-09-201-4/+4
| | | | | range plugin was renamed to idrange. Update plugin help to reflect this change.
* Use default reverse zone consistentlyMartin Kosek2012-09-197-31/+78
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Fix integer validation when boundary value is empty stringPetr Vobornik2012-09-197-3/+171
| | | | | | There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases. https://fedorahosted.org/freeipa/ticket/3066
* Show trust status in add success notificationPetr Vobornik2012-09-173-6/+29
| | | | | | Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763
* Add verification of the AD trustAlexander Bokovoy2012-09-172-8/+35
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Only stop the main DS instance when upgrading itPetr Viktorin2012-09-171-5/+10
| | | | | | | | | | | | | | We've been stopping both DS instances (main and PKI) when upgrading. This can happen while the CA is running. In some cases stopping the PKI DS also killed the CA. Only stop the specific instance for upgrades. Also, wait for open ports after the upgrade is complete. The wait was skipped previously. This can prevent bugs if scripts that need a DS are run after the upgrade. https://fedorahosted.org/freeipa/ticket/3083
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-1724-137/+515
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-1720-239/+224
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Properly convert DN in ipa-client-installMartin Kosek2012-09-181-1/+1
| | | | | | | | | | | ipa-client-install crashed when IPA server anonymous access was disabled and base DN was thus generated via realm_to_suffix function which, however, returns a DN object and not string. DN was converted to string, ipa-client-install no longer crashes in this scenario. https://fedorahosted.org/freeipa/ticket/3088
* Fix various typos.Yuri Chornoivan2012-09-1821-30/+30
| | | | https://fedorahosted.org/freeipa/ticket/3089
* When deleting a master, try to prevent orphaning other servers.Rob Crittenden2012-09-172-1/+98
| | | | | | | | | | | | | | | | | If you have a replication topology like A <-> B <-> C and you try to delete server B that will leave A and C orphaned. It may also prevent re-installation of a new master on B because the cn=masters entry for it probably still exists on at least one of the other masters. Check on each master that it connects to to ensure that it isn't the last link, and fail if it is. If any of the masters are not up then warn that this could be a bad thing but let the user continue if they want. Add a new option to the del command, --cleanup, which runs the replica_cleanup() routine to completely clean up references to a master. https://fedorahosted.org/freeipa/ticket/2797
* Run the CLEANALLRUV task when deleting a replication agreement.Rob Crittenden2012-09-177-30/+343
| | | | | | | | | | | | This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv list-ruv can be use to list the update vectors the master has configugured clean-ruv can be used to fire off the CLEANRUV task to remove a replication vector. It should be used with caution. https://fedorahosted.org/freeipa/ticket/2303
* Expand Referential Integrity checksMartin Kosek2012-09-1610-5/+445
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866
* Run index task in ldap updater only when neededMartin Kosek2012-09-161-6/+9
| | | | | | | | | | | | | When LDAP updater detected an update instruction in indexing tree, it run an indexing task and waited until it ends. However, the task was run regardless of the update instruction result. This lead to unnecessary index tasks being defined and waited for which makes the whole LDAP last longer. Execute indexing task only when an index add/update instruction is successful. https://fedorahosted.org/freeipa/ticket/2866
* Amend memberAllowCmd and memberDenyCmd attribute typesMartin Kosek2012-09-162-2/+4
| | | | | | | | | | | Attribute types of attributes designed to hold DN values are not supposed to hold own ORDERING or SUBSTR matching rules (which were even not correct in this case). Update these attributes to only define an EQUALITY rule just like other DN attribute types in IPA. https://fedorahosted.org/freeipa/ticket/2866
* Add attributeTypes to safe schema updaterMartin Kosek2012-09-161-29/+39
| | | | | | | | | | | AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch just like ObjectClass attribute which is already being normalized before an update value is compared with update instructions. Expand safe schema updater routine to cover both ObjectClasses and AttributeTypes updates. https://fedorahosted.org/freeipa/ticket/2440
* Fix addattr internal errorMartin Kosek2012-09-162-1/+21
| | | | | | | | | | | When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429
* ipasam: Fixes build with samba4 rc1Sumit Bose2012-09-142-11/+14
|
* Update the pot file (translation source)Petr Viktorin2012-09-121-1433/+2004
| | | | Generated by running `make update-pot` in install/po
* JSON serialization of long typePetr Vobornik2012-09-131-1/+1
| | | | | | Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it. Discovered after "Cast DNS SOA serial maximum boundary to long"
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-136-32/+63
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Add the SSH service to SSSD config file before trying to activate it.Jan Cholasta2012-09-131-2/+6
| | | | ticket 3069
* Use temporary key cache for host key in server installationPetr Viktorin2012-09-131-1/+2
| | | | This fixes an oversight in the earlier patch
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-133-5/+8
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Make sure selinuxusemap behaves consistently to HBAC ruleTomas Babej2012-09-122-18/+237
| | | | | | | | | Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983
* Fix server installationPetr Viktorin2012-09-111-2/+10
| | | | | The fix to ticket #2982 removed a kinit call when the client was installed as part of a master. Re-add the kinit call in this case.
* Prevent opening of multiple dirty dialogs on navigationPetr Vobornik2012-09-121-0/+5
| | | | | | | | Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog. Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet. https://fedorahosted.org/freeipa/ticket/2667
* ipa-client-install: Obtain host TGT from one specific KDCPetr Viktorin2012-09-101-15/+39
| | | | | | | | | | | | | | | | When clients install, they use kinit to obtain a TGT, which uses DNS to find the KDC to connect to. It might happen that the newly created principal has not replicated to selected KDC yet, making kinit fail and aborting the install. The client sets a temporary krb5 config file while installing via $KRB5_CONFIG. Modify this file so that the kerberos library only uses the specific server we're installing under, and call kinit while it's still in place. Clean up the configure_krb5_conf function to remove unused arguments. For clarity, use keyword arguments when calling it. https://fedorahosted.org/freeipa/ticket/2982
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-065-19/+11
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-0612-90/+464
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Fix some restart script issues found with certificate renewal.Rob Crittenden2012-09-063-1/+20
| | | | | | | | | | | | | | The restart_dirsrv script wasn't initializing the api so the startup_timeout wasn't available. The subsystemCert cert-pki-ca definition was missing so we didn't know which certificate to update in CS.cfg. Add some documentation and a pause between restarts for the renew_ca_cert script so that when the CA subsystem certs are renewed they don't all try to restart the CA at the same time. https://fedorahosted.org/freeipa/ticket/3006
* Trust CLI: mark trust-mod for future useSumit Bose2012-09-071-1/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2968
* Trust CLI: return more details of added trustSumit Bose2012-09-071-0/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2971
* Trust CLI: Return more details when searching trustsSumit Bose2012-09-071-0/+13
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2970
* Do not create trust if murmur hash is not available and base-id not givenSumit Bose2012-09-071-6/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3018
* IDRange CLI: Add documentationSumit Bose2012-09-071-2/+127
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2969
generated by cgit (git 2.34.1) at 2025-09-02 19:07:53 +0000