| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
| |
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
|
| |
The connection code will be the same for both the LDAP updater
and the new schema updater.
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
| |
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify
https://fedorahosted.org/freeipa/ticket/3895
|
| |
|
|
|
|
|
| |
A regression, which prevented creation of a winsync agreement,
was introduced in the original fix for ticket #3989.
https://fedorahosted.org/freeipa/ticket/3989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.
For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).
https://fedorahosted.org/freeipa/ticket/4012
|
| |
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3975
|
| |
|
|
|
|
|
|
|
|
|
| |
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
|
| |
|
|
|
|
|
|
|
|
|
| |
When set_directive was used for directive "foo" and the word "foo"
was detected anywhere on the line (e.g. in a comment, or in an example),
it was overwritten which may potentially lead to wrong line being
overwritten.
Only match the directives on the beginning of the lines, it is safer.
https://fedorahosted.org/freeipa/ticket/3974
|
| |
|
|
|
|
|
| |
Add nsds5ReplicaStripAttrs to the agreement LDAP entry before the agreement
is created.
https://fedorahosted.org/freeipa/ticket/3989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Majority of the attributes set in the setup method can be set in the
__init__ method where they are actually defined (and set to None).
This is true for attributes that hold constant values and for
attributes that have their values derived from api.env dictionary.
Creates a new __setup_default_attributes method, that is called
from within __init__ and setup (in case the passed values for
hostname or domain do not correspond to that what is set in api.env,
doing otherwise could cause unexpected behaviour).
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
| |
The installers used custom self.realm_name instead of standard
self.realm defined in Service class. It caused crashes in some cases
when Service class methods expected the self.realm to be filled.
https://fedorahosted.org/freeipa/ticket/3854
|
| |
|
|
|
|
|
|
| |
Proxy configuration was not detected correctly. Both
ipa-pki-proxy.conf and ipa.conf need to be in place and httpd
restarted to be able to check it's status.
https://fedorahosted.org/freeipa/ticket/3964
|
| |
|
|
|
|
|
|
| |
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
|
| |
|
|
|
|
| |
This helps forward compatibility: the anon ACI is scheduled for removal.
https://fedorahosted.org/freeipa/ticket/3956
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3897
|
| |
|
|
|
|
|
| |
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
|
| |
|
|
|
|
|
| |
When IPA server hostname is outside of default DNS domain, instead
of relative domain name, FQDN should be used.
https://fedorahosted.org/freeipa/ticket/3908
|
| |
|
|
|
|
|
| |
Prevent showing of unfriendly "Unexpected error" message, when providing
incorrect DM password to ipa-ldap-updater.
https://fedorahosted.org/freeipa/ticket/3825
|
| |
|
|
|
|
| |
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.
https://fedorahosted.org/freeipa/ticket/3915
|
| |
|
|
|
|
|
|
|
|
|
| |
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.
Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.
Pylint 1.0 reports undeclared names in __all__ as a warning.
|
| |
|
|
|
|
|
| |
ipa-restore would fail if DS user did not exist. Check for presence of DS
user and group and create them if needed.
https://fedorahosted.org/freeipa/ticket/3856
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3869
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3869
|
| |
|
|
|
|
| |
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.
https://fedorahosted.org/freeipa/ticket/3778
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When configuring the 389 Directory Server instance, we tune it
so that number of file descriptors available to the DS is increased
from the default 1024 to 8192.
There are platform specific steps that need to be conducted
differently on systemd compatible platforms and sysV compatible
platforms.
systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd
sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv
set ulimit - nofile 8192 in /etc/security/limits.conf
https://fedorahosted.org/freeipa/ticket/3823
|
| |
|
|
|
|
| |
Remove redundant shebangs from files that are not used as scripts.
https://fedorahosted.org/freeipa/ticket/3853
|
| |
|
|
|
|
|
| |
Make sure the subject base parameter is correctly passed and used during the
creation of the DS instance on a replica.
https://fedorahosted.org/freeipa/ticket/3868
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
|
|
| |
Hide the unnecessary --dirsrv_pin and --http_pin options.
https://fedorahosted.org/freeipa/ticket/3869
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
|
|
|
| |
Change the log file path from /var/log/ipa/default.log to admintool's default
path.
https://fedorahosted.org/freeipa/ticket/3641
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int
https://fedorahosted.org/freeipa/ticket/3858
|
| |
|
|
|
|
|
|
|
| |
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
|
| |
|
|
|
|
|
|
|
|
| |
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.
Also make sure that this value is preserved on upgrades.
https://fedorahosted.org/freeipa/ticket/3783
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If stdin is a TTY, ipaserver.install.installutils uses getpass and all
is well. Without a TTY, though, there were two problems:
* The prompt was not printed
* On end of file, an empty string was returned, which caused read_password
to enter an infinite loop.
Fix both problems.
https://fedorahosted.org/freeipa/ticket/3824
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
| |
|
|
|
|
|
|
|
|
| |
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.
For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3785
|
