summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Do not show unexpected error in ipa-ldap-updaterAna Krivokapic2013-09-161-0/+2
| | | | | | | Prevent showing of unfriendly "Unexpected error" message, when providing incorrect DM password to ipa-ldap-updater. https://fedorahosted.org/freeipa/ticket/3825
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-102-11/+5
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Remove __all__ specifications in ipaclient and ipaserver.installPetr Viktorin2013-09-061-2/+0
| | | | | | | | | | | The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning.
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-022-25/+53
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Log proper error message when defaultNamingContext not foundTomas Babej2013-08-291-1/+7
|
* Fix ipa-server-certinstall usage string.Jan Cholasta2013-08-281-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Add --dirman-password option to ipa-server-certinstall.Jan Cholasta2013-08-281-4/+8
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Fix nsSaslMapping object class before configuring SASL mappings.Jan Cholasta2013-08-271-0/+11
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3778
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-262-37/+95
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Perform dirsrv tuning at platform levelTomas Babej2013-08-261-51/+12
| | | | | | | | | | | | | | | | When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823
* Show human-readable error name in error dialog titlePetr Vobornik2013-08-261-1/+1
| | | | | | Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title.
* Remove redundant shebangsTomas Babej2013-08-265-7/+2
| | | | | | Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853
* Fix broken replica installationAna Krivokapic2013-08-201-4/+12
| | | | | | | Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868
* Ask for PKCS#12 password interactively in ipa-server-certinstall.Jan Cholasta2013-08-201-3/+7
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Add --pin option to ipa-server-certinstall.Jan Cholasta2013-08-201-10/+10
| | | | | | Hide the unnecessary --dirsrv_pin and --http_pin options. https://fedorahosted.org/freeipa/ticket/3869
* Untrack old and track new cert with certmonger in ipa-server-certinstall.Jan Cholasta2013-08-201-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.Jan Cholasta2013-08-202-13/+23
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Ignore empty mod error when updating DS SSL config in ipa-server-certinstall.Jan Cholasta2013-08-201-2/+5
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.Jan Cholasta2013-08-201-44/+0
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Port ipa-server-certinstall to the admintool framework.Jan Cholasta2013-08-201-0/+154
| | | | | | | Change the log file path from /var/log/ipa/default.log to admintool's default path. https://fedorahosted.org/freeipa/ticket/3641
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-133-3/+3
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-22/+18
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-1/+7
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Enable running API commands in ipa-advise pluginsAna Krivokapic2013-08-071-0/+2
| | | | | https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Add ipa-advise plugins for legacy clientsAna Krivokapic2013-08-071-0/+163
| | | | | | | | | | | | | | | | | Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Rename slapi-nis configuration variableAlexander Bokovoy2013-08-061-5/+5
|
* Wrap lines in the list of available advicesTomas Babej2013-08-061-6/+14
| | | | | | | | | | | | Now the list of available advices is neatly formatted: ------------------------- List of available advices ------------------------- config-fedora-authconfig : Authconfig instructions for configuring Fedora 18/19 client with IPA server without use of SSSD. The advice header printing has been reformatted to conform with the changes.
* Add a word wrapping for comment log messages to AdviceLoggerTomas Babej2013-08-061-1/+6
| | | | | The comments logged through AdviceLogger are now wrapped up to 70 characters. This change has been documented in the docstrings.
* Remove overlapping use-cases of the same result variableTomas Babej2013-08-061-4/+4
|
* Use case-insensitive dict for trusted domain infoTomas Babej2013-08-061-12/+24
| | | | | | | | | | | In DomainValidator, we store a dictionary containing information for trusted domains. This is a case-sensitive dictionary keyed by the domain name. We need to use case-insensitive dictionary since domain names are generally case-insensitive. https://fedorahosted.org/freeipa/ticket/3816
* Fix installutils.get_password without a TTYPetr Viktorin2013-08-061-1/+7
| | | | | | | | | | | | | If stdin is a TTY, ipaserver.install.installutils uses getpass and all is well. Without a TTY, though, there were two problems: * The prompt was not printed * On end of file, an empty string was returned, which caused read_password to enter an infinite loop. Fix both problems. https://fedorahosted.org/freeipa/ticket/3824
* Print newline after receiving EOF in installutils.read_password.Jan Cholasta2013-07-241-1/+2
|
* Ask for PKCS#12 password interactively in ipa-replica-prepare.Jan Cholasta2013-07-241-15/+34
| | | | https://fedorahosted.org/freeipa/ticket/3717
* ipaserver/dcerpc: attempt to resolve SIDs through SSSD firstAlexander Bokovoy2013-07-231-1/+44
| | | | | | | | Attempt to resolve SIDs through SSSD first to avoid using trust account password. This makes possible to run HBAC test requests without being in 'trusted admins' group. https://fedorahosted.org/freeipa/ticket/3803
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-232-40/+131
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
* ipa-adtrust-install: configure compatibility tree to serve trusted domain usersAlexander Bokovoy2013-07-181-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567
* Properly handle non-existent cert filesAna Krivokapic2013-07-182-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/3785
* Hide sensitive attributes in LDAP updater logging and outputRob Crittenden2013-07-181-19/+47
| | | | | | | | The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3782
* Provide ipa-advise toolTomas Babej2013-07-174-0/+254
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig. https://fedorahosted.org/freeipa/ticket/3670
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-0/+13
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Return the correct Content-type on negotiated XML-RPC requests.Rob Crittenden2013-07-151-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3745
* Make sure replication works after DM password is changedAna Krivokapic2013-07-111-0/+36
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-111-1/+1
| | | | | | This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693
* Use LDAP modify operation directly to add/remove group members.Jan Cholasta2013-07-111-23/+13
| | | | | | This prevents getting full member list from LDAP and putting it back later. https://fedorahosted.org/freeipa/ticket/3706
* Check trust chain length in CA-less install.Jan Cholasta2013-07-111-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3707
* Fix bug in adtrustinstanceAna Krivokapic2013-07-091-2/+2
| | | | | | | Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install to fail when IPA was installed with no DNS. https://fedorahosted.org/freeipa/ticket/3746
* Enable SASL mapping fallback.Jan Cholasta2013-06-272-2/+7
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-272-11/+16
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Do not display traceback to userAna Krivokapic2013-06-241-5/+4
| | | | | | | | Logging tracebacks at the INFO level caused them to be displayed to user on the command line. Change the log level to DEBUG, so that tracebacks are not visible to user. https://fedorahosted.org/freeipa/ticket/3704
* Fail when adding a trust with a different rangeAna Krivokapic2013-06-241-3/+12
| | | | | | | | When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635
generated by cgit (git 2.34.1) at 2024-09-25 04:25:45 +0000