summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* dsinstance: Move the list of schema filenames to a constantPetr Viktorin2013-11-181-9/+14
| | | | Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* ldapupdate: Factor out connection codePetr Viktorin2013-11-181-40/+36
| | | | | | | The connection code will be the same for both the LDAP updater and the new schema updater. Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* Use EXTERNAL auth mechanism in ldapmodifyAna Krivokapic2013-11-141-10/+10
| | | | | | Default to using the EXTERNAL authorization mechanism in calls to ldapmodify https://fedorahosted.org/freeipa/ticket/3895
* Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skewAlexander Bokovoy2013-11-131-0/+3
| | | | | | | | When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. https://fedorahosted.org/freeipa/ticket/4024
* Fix regression which prevents creating a winsync agreementAna Krivokapic2013-11-131-1/+2
| | | | | | | A regression, which prevented creation of a winsync agreement, was introduced in the original fix for ticket #3989. https://fedorahosted.org/freeipa/ticket/3989
* Server does not detect different server and IPA domainMartin Kosek2013-11-111-7/+11
| | | | | | | | | | | | | | Server installer does not properly recognize a situation when server fqdn is not in a subdomain of the IPA domain, but shares the same suffix. For example, if server FQDN is ipa-idm.example.com and domain is idm.example.com, server's FQDN is not in the main domain, but installer does not recognize that. proper Kerberos realm-domain mapping is not created in this case and server does not work (httpd reports gssapi errors). https://fedorahosted.org/freeipa/ticket/4012
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-059-47/+45
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* ipatests: Use command -v instead of which in legacy client adviceTomas Babej2013-11-011-2/+2
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* Remove legacy toDict and origDataDict methods of LDAPEntry.Jan Cholasta2013-10-312-6/+5
| | | | https://fedorahosted.org/freeipa/ticket/3521
* advice: Add legacy client configuration script using nss-ldapTomas Babej2013-10-311-1/+36
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* Track DS certificate with certmonger on replicas.Jan Cholasta2013-10-291-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3975
* Remove mod_ssl conflictMartin Kosek2013-10-251-5/+41
| | | | | | | | | | | Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974
* Make set_directive and get_directive more strictMartin Kosek2013-10-251-2/+2
| | | | | | | | | | | When set_directive was used for directive "foo" and the word "foo" was detected anywhere on the line (e.g. in a comment, or in an example), it was overwritten which may potentially lead to wrong line being overwritten. Only match the directives on the beginning of the lines, it is safer. https://fedorahosted.org/freeipa/ticket/3974
* Make sure nsds5ReplicaStripAttrs is set on agreementsAna Krivokapic2013-10-251-2/+1
| | | | | | | Add nsds5ReplicaStripAttrs to the agreement LDAP entry before the agreement is created. https://fedorahosted.org/freeipa/ticket/3989
* Add ipa-advise plugins for nss-pam-ldapd legacy clientsAna Krivokapic2013-10-181-14/+198
| | | | | | | | | | | Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
* adtrustinstance: Move attribute definitions from setup to init methodTomas Babej2013-10-141-29/+49
| | | | | | | | | | | | | | | Majority of the attributes set in the setup method can be set in the __init__ method where they are actually defined (and set to None). This is true for attributes that hold constant values and for attributes that have their values derived from api.env dictionary. Creates a new __setup_default_attributes method, that is called from within __init__ and setup (in case the passed values for hostname or domain do not correspond to that what is set in api.env, doing otherwise could cause unexpected behaviour). Part of: https://fedorahosted.org/freeipa/ticket/3479
* adtrustinstance: Properly handle uninstall of AD trust instanceTomas Babej2013-10-141-14/+37
| | | | | | | | | | | | | | | | | | The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-upgradeconfig: Remove backed up smb.confTomas Babej2013-10-141-9/+6
| | | | | | | | | | | Since we are not able to properly restore the Samba server to the working state after running ipa-adtrust-install, we should not keep the smb.conf in the fstore. This patch makes sure that any backed up smb.conf is removed from the backup and that this file is not backed up anymore. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Use consistent realm name in cainstance and dsinstanceMartin Kosek2013-10-112-19/+18
| | | | | | | | The installers used custom self.realm_name instead of standard self.realm defined in Service class. It caused crashes in some cases when Service class methods expected the self.realm to be filled. https://fedorahosted.org/freeipa/ticket/3854
* PKI installation on replica failing due to missing proxy confMartin Kosek2013-10-111-1/+3
| | | | | | | | Proxy configuration was not detected correctly. Both ipa-pki-proxy.conf and ipa.conf need to be in place and httpd restarted to be able to check it's status. https://fedorahosted.org/freeipa/ticket/3964
* Remove --no-serial-autoincrementMartin Kosek2013-10-111-6/+1
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Do not fail upgrade if the global anonymous read ACI is not foundPetr Viktorin2013-10-041-2/+6
| | | | | | This helps forward compatibility: the anon ACI is scheduled for removal. https://fedorahosted.org/freeipa/ticket/3956
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-042-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-044-17/+17
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-33/+47
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-70/+6
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-0/+54
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* ipaserver/dcerpc.py: populate forest trust information using realmdomainsAlexander Bokovoy2013-10-041-18/+95
| | | | | | | | Use realmdomains information to prepopulate forest trust info. As result, all additional domains should now be enabled from the beginning, unless they really conflict with existing DNS domains on AD side. https://fedorahosted.org/freeipa/ticket/3919
* Use FQDN when creating MSDCS SRV recordsMartin Kosek2013-10-031-4/+11
| | | | | | | When IPA server hostname is outside of default DNS domain, instead of relative domain name, FQDN should be used. https://fedorahosted.org/freeipa/ticket/3908
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-201-0/+9
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* Do not show unexpected error in ipa-ldap-updaterAna Krivokapic2013-09-161-0/+2
| | | | | | | Prevent showing of unfriendly "Unexpected error" message, when providing incorrect DM password to ipa-ldap-updater. https://fedorahosted.org/freeipa/ticket/3825
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-102-11/+5
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Remove __all__ specifications in ipaclient and ipaserver.installPetr Viktorin2013-09-061-2/+0
| | | | | | | | | | | The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning.
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-022-25/+53
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Log proper error message when defaultNamingContext not foundTomas Babej2013-08-291-1/+7
|
* Fix ipa-server-certinstall usage string.Jan Cholasta2013-08-281-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Add --dirman-password option to ipa-server-certinstall.Jan Cholasta2013-08-281-4/+8
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Fix nsSaslMapping object class before configuring SASL mappings.Jan Cholasta2013-08-271-0/+11
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3778
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-262-37/+95
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Perform dirsrv tuning at platform levelTomas Babej2013-08-261-51/+12
| | | | | | | | | | | | | | | | When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823
* Show human-readable error name in error dialog titlePetr Vobornik2013-08-261-1/+1
| | | | | | Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title.
* Remove redundant shebangsTomas Babej2013-08-265-7/+2
| | | | | | Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853
* Fix broken replica installationAna Krivokapic2013-08-201-4/+12
| | | | | | | Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868
* Ask for PKCS#12 password interactively in ipa-server-certinstall.Jan Cholasta2013-08-201-3/+7
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Add --pin option to ipa-server-certinstall.Jan Cholasta2013-08-201-10/+10
| | | | | | Hide the unnecessary --dirsrv_pin and --http_pin options. https://fedorahosted.org/freeipa/ticket/3869
* Untrack old and track new cert with certmonger in ipa-server-certinstall.Jan Cholasta2013-08-201-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.Jan Cholasta2013-08-202-13/+23
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Ignore empty mod error when updating DS SSL config in ipa-server-certinstall.Jan Cholasta2013-08-201-2/+5
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.Jan Cholasta2013-08-201-44/+0
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Port ipa-server-certinstall to the admintool framework.Jan Cholasta2013-08-201-0/+154
| | | | | | | Change the log file path from /var/log/ipa/default.log to admintool's default path. https://fedorahosted.org/freeipa/ticket/3641
generated by cgit (git 2.34.1) at 2025-09-05 03:05:18 +0000