summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.Jan Cholasta2013-04-151-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-156-53/+142
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Update translations from TransifexPetr Viktorin2013-04-1518-5902/+7895
|
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-153-5/+58
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* ipa-server-install: correct help text for --external_{cert,ca}_filePetr Viktorin2013-04-152-7/+7
| | | | | | | The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-129-256/+86
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Remove any reference to HBAC source hosts from helpAna Krivokapic2013-04-122-12/+10
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Remove HBAC source hosts from web UIAna Krivokapic2013-04-123-94/+0
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Revert "Fix permission_find test error"Rob Crittenden2013-04-121-0/+1
| | | | | | | This reverts commit f7e27b547547be06f511a3ddfaff8db7d0b7898f. This test was failing because we were adding a permission as a member of a role before creating the permission, so no memberof was generated.
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-125-8/+49
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Full system backup and restoreRob Crittenden2013-04-1212-133/+1648
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Add missing summary message to dnszone_delAna Krivokapic2013-04-112-4/+6
| | | | https://fedorahosted.org/freeipa/ticket/3503
* Fix output for some CLI commandsAna Krivokapic2013-04-115-19/+21
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-102-1/+2
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Fix regression in group type selection in group adder dialogPetr Vobornik2013-04-101-4/+3
| | | | Refactoring of radio widget (04325fbb4c64ee4aef6d8c9adf0ff95b8b653101) caused that value is no longer supplied to value_change handler.
* Don't show trusts pages when trust is not configuredPetr Vobornik2013-04-103-2/+49
| | | | | | When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding. https://fedorahosted.org/freeipa/ticket/3333
* Global trust config pagePetr Vobornik2013-04-107-3/+259
| | | | https://fedorahosted.org/freeipa/ticket/3333
* Fix trustconfig-mod primary group errorMartin Kosek2013-04-101-1/+1
| | | | | | | As find_entry_by_attr no longer adds $SUFFIX to searched base DN, trustconfig-mod could not find POSIX group to when validating the new ipantfallbackprimarygroup value. This patch fixes this regression.
* Fix two failing tests due to missing krb ticket flagsRob Crittenden2013-04-091-0/+4
|
* Filter groups by type (POSIX, non-POSIX, external)Petr Vobornik2013-04-095-3/+151
| | | | | | | | | | | Added flag for each groups type: --posix, --nonposix, --external to group-find command. Group types: * non-POSIX: not posix, not external * POSIX: with objectclass posixgroup * external: with objectclass ipaexternalgroup https://fedorahosted.org/freeipa/ticket/3483
* Do actually stop pki_cad in stop_pkicad instead of starting it.Jan Cholasta2013-04-091-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3554
* Run permission target switch action only for visible widgetsPetr Vobornik2013-04-051-1/+1
| | | | | | | | | | | | Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set. Can be reproduced by opening 'Modify Automount maps' permission. The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong. Fixed by running target_mapping action only for visible targets. https://fedorahosted.org/freeipa/ticket/3527
* spec: detect Kerberos DAL driver ABI change from installed krb5-develAlexander Bokovoy2013-04-041-2/+10
| | | | | | | Find out Kerberos middle version to infer ABI changes in DAL driver. We cannot load DAL driver into KDC with wrong ABI. This is also needed to support ipa-devel repository where krb5 1.11 is available for Fedora 18.
* Add ipakrbokasdelegate option to service and host Web UI pagesPetr Vobornik2013-04-048-5/+45
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* Display full command documentation in online helpPetr Viktorin2013-04-032-1/+28
| | | | | | | | | | ipa <command> -h only showed the summary string, not the full help. Use the full docstring. Add a custom help formatter that disables optparse's reformatting. Test included https://fedorahosted.org/freeipa/ticket/3543
* Become 3.2.0 Prerelease 1release-3-2-0-pre1Martin Kosek2013-04-021-3/+3
|
* Improve DNAME record validationMartin Kosek2013-04-022-12/+102
| | | | | | | | | Extend DNS RR conflict check and forbid DNAME+NS combination unless it is done in root DNS zone record. Add tests to verify this enforced check. https://fedorahosted.org/freeipa/ticket/3449
* Improve CNAME record validationMartin Kosek2013-04-022-40/+41
| | | | | | | | | | | Refactor DNS RR conflict validator so that it is better extensible in the future. Also check that there is only one CNAME defined for a DNS record. PTR+CNAME record combination is no longer allowed as we found out it does not make sense to have this combination. https://fedorahosted.org/freeipa/ticket/3450
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-022-2/+4
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Require 389-base-base 1.3.0.5Martin Kosek2013-04-021-1/+8
| | | | | | | | | Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540
* Properly handle ipa-replica-install when its zone is not managed by IPATomas Babej2013-04-021-6/+16
| | | | | | | | | The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Web UI: Disable cert functionality if a CA is not availablePetr Vobornik2013-04-021-11/+13
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* ipa-client-install: Do not request host certificate if server is CA-lessPetr Viktorin2013-04-021-10/+37
| | | | https://fedorahosted.org/freeipa/ticket/3536
* Do not call cert-* commands in host plugin if a RA is not availablePetr Viktorin2013-04-021-76/+87
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-026-15/+32
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-027-31/+217
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-022-12/+22
|
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
* Remove unused ipapython.certdb.CertDB classPetr Viktorin2013-04-021-127/+0
|
* ipa-server-install: Remove the --selfsign optionPetr Viktorin2013-04-022-44/+33
| | | | | | | | | Instead, certificates in pkcs12 files can be given to set up IPA with no CA at all. Use a flag, setup_ca, to signal if a CA is being installed. Design: http://freeipa.org/page/V3/Drop_selfsign Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* ipa-server-install: Make temporary pin files available for the whole ↵Petr Viktorin2013-04-021-37/+21
| | | | | | | | | | | | | | | installation We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
* Enhance ipa-adtrust-install for domains with multiple IPA serverAlexander Bokovoy2013-04-021-8/+36
| | | | | | | | | | As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. Only these servers will be advertised as SMB domain controllers https://fedorahosted.org/freeipa/ticket/2189
* Added Web UI support for service PAC type option: NONEPetr Vobornik2013-03-293-3/+39
| | | | | | | | | ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD'] New nesting feature of radios/checkboxes was used to handle mutual exclusivity between ['MS-PAC', 'PAD'], 'NONE' and ''. https://fedorahosted.org/freeipa/ticket/3404
* Nestable checkbox/radio widgetPetr Vobornik2013-03-294-143/+390
| | | | | | | | | New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone. checkbox_widget, checkboxes_widget, radio_widget were modified to use it. Built as a prerequisite for: https://fedorahosted.org/freeipa/ticket/3404
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-297-15/+207
| | | | https://fedorahosted.org/freeipa/ticket/3329
* ipasam: add enumeration of UPN suffixes based on the realm domainsAlexander Bokovoy2013-03-292-11/+191
| | | | | | | | | | | | | | | | PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848
generated by cgit (git 2.34.1) at 2025-09-03 10:03:16 +0000