summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Sanitize UDP checks in conncheckMartin Kosek2012-02-261-20/+38
| | | | | | | | | | | | | | | | | | UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
* Make sure 389-ds is running when adding memcache service in upgrade.Rob Crittenden2012-02-261-0/+4
| | | | | | | Adding the memcache service requires 389-ds to be running because we add an entry to cn=masters. https://fedorahosted.org/freeipa/ticket/2411
* Remove unused kpasswd.keytab and ldappwd files if they exist.Rob Crittenden2012-02-271-0/+14
| | | | | | These were used by ipa_kpasswd and krb5-server-ldap respectivily. https://fedorahosted.org/freeipa/ticket/2397
* Check for duplicate winsync agreement before trying to set one up.Rob Crittenden2012-02-271-13/+15
| | | | | | | | | We currently only support a single winsync agreement so all we need to do is check to see if we have one with the remote host. This also adds some minor exception handling cleanup. https://fedorahosted.org/freeipa/ticket/2130
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-271-42/+63
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
* Global DNS optionsMartin Kosek2012-02-242-0/+4
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-243-2/+82
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-232-1/+5
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* update translation pot fileJohn Dennis2012-02-211-235/+240
|
* pulled new po files from TransifexJohn Dennis2012-02-2123-87604/+86410
|
* Update pot file and list of explicit Python files needing translationJohn Dennis2012-02-212-1339/+2082
|
* Added missing configuration optionsPetr Voborník2012-02-203-0/+22
| | | | | | | | | | Missing options were added to Web UI's IPA Server/Configuration page. * ipaconfigstring * ipaselinuxusermaporder * ipaselinuxusermapdefault https://fedorahosted.org/freeipa/ticket/2285 https://fedorahosted.org/freeipa/ticket/2400
* Fixed problem when attributes_widget was displaying empty optionPetr Voborník2012-02-201-1/+6
| | | | | | Attribute table was modified to skip creation of option for empty value. https://fedorahosted.org/freeipa/ticket/2291
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-202-1/+6
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Ease zonemgr restrictionsMartin Kosek2012-02-204-4/+4
| | | | | | | | | | | | Admin e-mail validator currently requires an email to be in a second-level domain (hostmaster@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Configure ipa_memcached when a replica is installed.Rob Crittenden2012-02-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2401
* Enable ipa_memcached when upgradingRob Crittenden2012-02-162-0/+13
| | | | | | | | | | Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Remove Apache ccache on upgrade.Rob Crittenden2012-02-151-0/+4
| | | | | | | Make this removal a common function that can be shared between installer and upgrade tool. https://fedorahosted.org/freeipa/ticket/2395
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-151-1/+1
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-153-1/+11
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-151-1/+63
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
* Redirection to PTR records from A,AAAA recordsPetr Voborník2012-02-152-2/+244
| | | | | | | | | | | | | | | | | | | Address column in A, AAAA DNS records was exented of redirection capabilities. Redirection dialog is shown after a click on a value. Dialog does following steps: 1) fetch all dns zones 2) find most accurate reverse zone for IP address 2 -fail) show error message, stop 3) checks if target record exists in the zone 3 -fail) show 'dns record create link', stop 4) redirects Click on 'dns record create link': 1) creates record 1 -fail) show error, stop 2) redirects https://fedorahosted.org/freeipa/ticket/1975
* UI support for ssh keysPetr Voborník2012-02-1514-26/+358
| | | | | | | | To user and host details pages was added ipasshpubkey attribute. New widget for ssh public keys was created. https://fedorahosted.org/freeipa/ticket/2340
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-134-0/+28
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-134-2/+18
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-134-0/+52
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-135-0/+29
| | | | https://fedorahosted.org/freeipa/ticket/754
* Removed question marks from field labelsPetr Voborník2012-02-141-2/+2
| | | | | | | In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group". In host search facet, the "Enrolled?" was replaced with "Enrolled". https://fedorahosted.org/freeipa/ticket/2353
* Fixed entity link disablingPetr Vobornik2012-02-141-2/+6
| | | | | | | | | | Problem: Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state. Fixed: The link is disabled when target doesn't exist. https://fedorahosted.org/freeipa/ticket/2364
* Fixed ipa.js for sessions.Endi S. Dewata2012-02-091-8/+9
| | | | | | | | | | The patch fixes a problem in error_handler_login() when it gets an error other than 401. The login_url is not needed for fixtures because it does not need authentication. The patch also fixes jslint warnings and formatting issues.
* add session manager and cache krb authJohn Dennis2012-02-092-8/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Add ipa_memcached serviceJohn Dennis2012-02-091-0/+4
| | | | | | | | | | | | | | | | | | | | | | | * Adds ipa_memcached SystemV initscript * Adds ipa_memcached service file and tmpfiles.d/ipa.conf to recreate /var/run/ipa_memcached on reboot. * Adds ipa_memcached config file * Adds memcacheinstnace.py to manage ipa_memcaced as as SimpleService object. * Updates the IPA service list to include ipa_memcached, at service positon 39, httpd is position 40 * Updates the spec file: - requires the memcached daemon and python client - installs service or initscripts depending on OS - installs config file - creates /var/run/ipa_memcached directory * Modifies ipa-server-install to install ipa_memcached
* Remove delegation from browser configAdam Young2012-02-071-1/+0
|
* Remove unused options from ipa-managed-entriesMartin Kosek2012-02-071-3/+0
| | | | | | | ipa-managed-entries contain auto-generated options that are not used in the script and may just confuse users. Remove them. https://fedorahosted.org/freeipa/ticket/2347
* Fix/add options in ipa-managed-entries man pagePetr Viktorin2012-02-071-2/+5
| | | | | | | * The --entry option was wrongly listed as --entries; fix that. https://fedorahosted.org/freeipa/ticket/2277 * Add the --help option
* Automember UI - Fixed I18n labelsPetr Voborník2012-02-073-19/+34
| | | | | | | Hard-coded labels in Automember UI have been moved into internal.py to allow translation. https://fedorahosted.org/freeipa/ticket/2195
* Automember UI - default groupsPetr Voborník2012-02-079-2/+315
| | | | | | | | In this patch was implemented and added a control for defining default automember groups. There is a difference from UXD spec. In the spec the control was placed below table in the search facet. This was not working well with the combobox in the control. Open combobox requires some space below it. As it was placed at the bottom of the page it created unwanted blank space and forced showing scrollbars. Moving the control above the table solves the problem without rewriting combobox logic. It can be rewritten and moved down later. https://fedorahosted.org/freeipa/ticket/2195
* Fix 'no-reverse' option descriptionOndrej Hamada2012-02-024-4/+4
| | | | | | | The description of 'no-reverse' option was fixed in both code and manpages of ipa-replica-install and ipa-dns-install. https://fedorahosted.org/freeipa/ticket/2161
* Automember UIPetr Voborník2012-02-0116-4/+1039
| | | | | | | | | | | | | | | | New UI for automember. Implemented: * search facet core * rule details facet * attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands * adding/removing conditions in details facet TODO: * label translations * UI for defining default rules https://fedorahosted.org/freeipa/ticket/2195
* Navigation and redirection to various facetsPetr Voborník2012-02-013-33/+95
| | | | | | | | | | | | In current implementation target facet of navigation(from menu) and redirection is always one exact facet per entity. There isn't a way to navigate to different facet from menu or redirect to different facets from various facets. This patch adds: * possibility to define menu items which can navigate to different facets of various entities. This also means that now current menu tree can contain leafs with the same entity. * possibility to define redirection target per facet - it is needed to keep breadcrumb navigation consistent with various navigation tree patch leading to same entity leafs. This functionality is needed for Automember UI. Automember UI is designed as if it was for two entities but it is in fact only one. https://fedorahosted.org/freeipa/ticket/2195
* Show password expiration date.Endi Sukma Dewata2012-02-016-54/+77
| | | | | | | | | | | The user details page was modified to show the password expiration date next to the existing password field. Fixed problem resetting password in self-service mode. The JSON interface for the passwd command requires the username to be specified although the equivalent CLI command doesn't require it. Ticket #2064
* Use fixed font when displaying certificate.Endi Sukma Dewata2012-02-012-10/+16
| | | | | | | The textareas used to display certificates were modified to use fixed font. Ticket #2017
* Hide Add/Delete buttons in self-service mode.Endi Sukma Dewata2012-02-011-0/+7
| | | | | | | Users do not have add/delete permission in self-service mode, so the search facet was modified to hide the Add/Delete buttons. Ticket #2188
* Added icons for status column.Endi Sukma Dewata2012-02-0111-28/+61
| | | | | | | | | | | The status formatter was modified to show enabled/disabled icon before the status text. The format classes were renamed to formatter to avoid confusion with the format() method. A new parameter 'type' was added to the formatter to determine the output type (e.g. text/html). Ticket #1996
generated by cgit (git 2.34.1) at 2024-09-22 18:35:41 +0000