| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.
* Reduced the default session_auth_duration from 1 hour to 20 minutes.
* Replaced the sesssion write_timestamp with the access_timestamp and
update the access_timestamp whenever the session data is created,
retrieved, or written.
* Modify set_session_expiration_time to handle both an inactivity
timeout and a fixed duration.
* Introduce KerberosSession as a mixin class to share session
duration functionality with all classes manipulating session data
with Kerberos auth. This is both the non-RPC login class and the RPC
classes.
* Update make-lint to handle new classes.
* Added session_auth_duration_type config item.
* Updated default.conf.5 man page for new session_auth_duration_type item.
* Removed these unused config items: mount_xmlserver,
mount_jsonserver, webui_assets_dir
https://fedorahosted.org/freeipa/ticket/2392
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
|
| |
|
|
|
|
| |
Apply this to hostgroup names as well since they can be linked.
https://fedorahosted.org/freeipa/ticket/2221
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.
This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.
https://fedorahosted.org/freeipa/ticket/2394
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.
This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):
ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse
This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).
Few modification were done to new DNS API to support this feature:
- Refactor --ip-address option handling from host-add and place it
to dns.py to be used by both modules
- Add support for "extra" per-type options
- Hide DNS record part options in dnsrecord_find command as they
have no effect for this command
https://fedorahosted.org/freeipa/ticket/2009
|
| |
|
|
|
|
|
|
|
| |
We verify user and group default objectclasses when changing them
to be sure that required objectclasses aren't being dropped. We need
to ignore virtual attributes or it will raise an error because they
aren't defined in schema.
https://fedorahosted.org/freeipa/ticket/2406
|
| |
|
|
|
|
| |
Do not accept invalid GID values in IPA user/group plugins.
https://fedorahosted.org/freeipa/ticket/2335
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.
As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.
This patch adds an API for this control.
https://fedorahosted.org/freeipa/ticket/2176
|
| |
|
|
|
|
|
|
| |
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.
https://fedorahosted.org/freeipa/ticket/2108
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
|
| |
|
|
|
|
|
|
|
| |
Deleting these would cause the IPA master to blow up.
For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.
https://fedorahosted.org/freeipa/ticket/2425
|
| |
|
|
|
|
|
|
|
|
| |
Missing options were added to Web UI's IPA Server/Configuration page.
* ipaconfigstring
* ipaselinuxusermaporder
* ipaselinuxusermapdefault
https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.
The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.
A minor fix restores errors.py's ability print out the list of
errors when run as a script.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
|
| |
|
|
|
|
|
|
| |
To user and host details pages was added ipasshpubkey attribute.
New widget for ssh public keys was created.
https://fedorahosted.org/freeipa/ticket/2340
|
| |
|
|
|
|
| |
Fixes import problems trying to import just ipalib/compat.py.
https://fedorahosted.org/freeipa/ticket/754
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix wrong handling of strings in --setattr/--addattr/--delattr.
These changes make it possible to use Bytes in --setattr/--addattr/
--delattr without errors.
Fixes managing SSH keys on command-line
https://fedorahosted.org/freeipa/ticket/754
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
|
| |
|
|
|
|
|
|
|
|
|
| |
* hbacrule: Internationalize HBAC rule "all" category exceptions
https://fedorahosted.org/freeipa/ticket/2267
* hbactest: Use internationalized names (doc) instead of names
for output items
Also don't convert result to bool, `not` does it implicitly
* ipalib.output: Internationalize descriptions of some standard entries
|
| |
|
|
|
|
|
| |
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).
Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.
https://fedorahosted.org/freeipa/ticket/2332
The login shell had the same problem. Again this patch removes the
client-side default and adds a test.
Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
|
| |
|
|
|
|
|
|
|
|
|
| |
Convert from a freeform string into a enumeration.
Only values currently allowed are AllowLMhash and AllowNThash.
To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.
https://fedorahosted.org/freeipa/ticket/1433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking of parameters used by _make_aci funcion was rewritten.
Additional attributes of ACI(type, attribute, memberof, targetgroup,
subtree, filter) could be unset.
Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255
Added checking of existence of groups that are specified in permission
and delegation module.
https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305
|
| |
|
|
|
|
|
|
|
|
| |
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.
https://fedorahosted.org/freeipa/ticket/1734
|
| |
|
|
|
|
|
| |
Hard-coded labels in Automember UI have been moved into internal.py to
allow translation.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
| |
The example mistakenly showed how to allow "employees" to edit
addresses of "managers".
This fixes the example by switching the two options.
https://fedorahosted.org/freeipa/ticket/2317
|
| |
|
|
|
|
|
| |
This patch fixes netgroup unit test failures which expect the
original DN.
https://fedorahosted.org/freeipa/ticket/2069
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Indirect automount nesting is achieved by adding a key that references
another map. This isn't heirarchical, in fact, you can have multiple
duplicate keys all pointing at the same map, which itself is mounted
in other places. It can be a real mess if you want.
In any case, a submount map has its information set to
"-fstype=autofs <type>:<map>"
The type can be any valid automount type: file, nis, yp, ldap, etc. We
are going to hardcode ldap in when we create these using
automountmap-add-indirect. If a user wants a different type they can
create the key themselves (or edit it later).
Here is an example of creating a submount:
$ ipa automountlocation-add baltimore
$ ipa automountmap-add-indirect baltimore auto.share --mount=/share
$ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.sub
$ ipa automountkey-add baltimore auto.sub --key=share --info=attic:/share
$ ls /share/sub/share
builds lost+found
This looks like:
etc/auto.master:
/- /etc/auto.direct
/share /etc/auto.share
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.share:
sub -fstype=autofs ldap:auto.sub
maps not connected to /etc/auto.master:
---------------------------
/etc/auto.sub:
share attic:/share
I've also added a catch-all when using the tofiles function. We were
missing any maps that weren't attached to auto.master. They will now
be shown along with whatever keys they have.
https://fedorahosted.org/freeipa/ticket/1268
|
| |
|
|
|
|
|
|
|
|
|
|
| |
CLI command help contains a documentation for all options that can
be passed to commands. However, help strings for positional
arguments are not included.
This patch uses an OptionParser description field to list all
command arguments as OptionParser does not have a native support
to provide such information to user.
https://fedorahosted.org/freeipa/ticket/1974
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2323
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ACI plugins (permission, selfservice and delegation) were not
prepared to serve ACIs in a raw format, i.e. raw "aci" attribute
taken from LDAP. This patch fixes all these plugins and their
commands to provide provide this format. Few ACI raw format unit
tests were added for all these plugins.
https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2223
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
|
| |
|
|
|
|
|
|
|
| |
Improve migration help topic so that it easier understandable:
- Add missing list of Topic commands
- Add one more example to demonstrate migration abilities
- Add breaks to too long lines to improve readibility
https://fedorahosted.org/freeipa/ticket/2174
|
| |
|
|
|
|
|
|
|
|
| |
When a new DNS record is being added to DNS zone via command
ipa dnsrecord-add ZONE @
and the target ZONE does not exist it returns ObjectclassViolation
which may confuse users. Make sure that standard DNS Zone NotFound
exception is returned.
https://fedorahosted.org/freeipa/ticket/2270
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since A6 is an obsolete RR type, no DNS part option was created.
This is, however, not consistent with the rest of per-type API
and may cause problems. This patch adds at least a DNS part for
raw A6 record data so that the record type is treated consistently.
This patch also fixes interactive mode for A6 records. Their data
were not detected correctly as dnsrecord_add didn't expect
a number in DNS part option name.
https://fedorahosted.org/freeipa/ticket/2309
|
| |
|
|
|
|
|
| |
Add missing SRV record target validator to filter out possible
user errors.
https://fedorahosted.org/freeipa/ticket/2308
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
NSEC record needs special treatment as it is not composed from
a fixed set of DNS parts divided by space, but it contains
a multivalued DNS part "types" containing a list of RR types
it covers.
There was already a special method for parsing raw NSEC record
to DNS parts, but the other direction was missing. This patch
adds special NSEC convertor to fix this issue.
https://fedorahosted.org/freeipa/ticket/2307
|
| |
|
|
|
|
|
|
|
| |
TXT record validation fails to parse the record if it contains
spaces. Standard DNS part parser uses a space to divide record
parts. A special parser thus need to be implemented for this RR
type.
https://fedorahosted.org/freeipa/ticket/2306
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These two situations in netgroup-add need to be distinguished:
1) Netgroup cannot be added because a hostgroup with the same name
created a colliding managed netgroup
2) Another native netgroup with the same name exists
This patch checks the colliding netgroup and raise appropriate
error message based on this finding.
https://fedorahosted.org/freeipa/ticket/2069
|
| |
|
|
|
|
|
|
|
|
|
| |
The user details page was modified to show the password expiration
date next to the existing password field.
Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.
Ticket #2064
|
| |
|
|
|
|
| |
DNS UI was modified to offer structured way of defining DNS records.
https://fedorahosted.org/freeipa/ticket/2208
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
* refresh page in browser (takes really long on slow vpns)
* search facet: change filter, find, change filter back, find
* entity details: go to search, select other entry, go back to search, select original entry
* association facet: same as entity details
These are unconvenient methods.
This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.
https://fedorahosted.org/freeipa/ticket/2051
|
| |
|
|
|
|
|
|
|
|
|
| |
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
--man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
--not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
in HOSTS are returned
https://fedorahosted.org/freeipa/ticket/1675
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.
It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>
I tested nslcd and it only returned one macaddress value.
https://fedorahosted.org/freeipa/ticket/1132
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When deleting an HBAC rule we need to ensure that an SELinux user
map isn't pointing at it. We need to take what is the cn of the HBAC
rule and see if that rule exists, then return the dn to that rule.
The search was not being done properly and wasn't enforcing uniqueness.
It could have returned partial matches as well (so tests for the
search test).
https://fedorahosted.org/freeipa/ticket/2269
|
