| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add support for Realm Domains to web UI.
https://fedorahosted.org/freeipa/ticket/3407
|
| |
|
|
|
|
|
|
|
|
|
| |
DNs represented as strings and passed via --setattr or --addattr
are no longer implicitly converted to DN type. This solves various
errors associated with this behaviour, see tickets below.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/3348
https://fedorahosted.org/freeipa/ticket/3349
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3464
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732
https://fedorahosted.org/freeipa/ticket/3294
|
| |
|
|
|
|
|
|
|
|
| |
Random domain name may bring undererministic behavior. It also breaks
the test on some systems as string.lowercase is locale dependent and
can return non-ASCII letters and thus later break the unicode encoding
and raise UnicodeDecodeError.
Use a fixed domain in "test" TLD instead. This domain is guaranteed to
be not existent.
|
| |
|
|
| |
Tests included.
|
| |
|
|
|
|
|
|
|
| |
Since sudo commands are case-sensitive, we can't use 'sudocmd'
as the RDN.
Tests for case-sensitive behavior included
https://fedorahosted.org/freeipa/ticket/2482
|
| |
|
|
|
|
|
|
| |
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_find
https://fedorahosted.org/freeipa/ticket/2528
|
| |
|
|
|
|
|
|
|
| |
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/3333
|
| |
|
|
|
| |
Remove extraneous memberindirect_role attribute from permission_find
unit test to avoid false negative test result.
|
| |
|
|
|
|
|
|
| |
Target Group parameter was not processed correctly which caused
permission-find to always crash when this search parameter was used.
Fix the crash and create a unit test case to avoid future regression.
https://fedorahosted.org/freeipa/ticket/3335
|
| |
|
|
|
|
|
|
| |
A wrong way of handling --group DN object caused Internal Error
for this command. Fix that and also provide unit tests to avoid
another regression.
https://fedorahosted.org/freeipa/ticket/3311
|
| |
|
|
|
|
|
|
|
| |
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.
https://fedorahosted.org/freeipa/ticket/3171
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.
Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.
Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.
Unit tests were updated to test the new format.
https://fedorahosted.org/freeipa/ticket/3204
|
| |
|
|
|
|
|
|
|
|
|
| |
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
|
| |
|
|
|
|
|
|
| |
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.
https://fedorahosted.org/freeipa/ticket/3098
|
| |
|
|
|
|
|
|
|
|
| |
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.
https://fedorahosted.org/freeipa/ticket/3097
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.
Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).
https://fedorahosted.org/freeipa/ticket/2184
|
| |
|
|
|
|
|
|
| |
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.
https://fedorahosted.org/freeipa/ticket/2993
|
| |
|
|
|
|
|
|
| |
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).
https://fedorahosted.org/freeipa/ticket/3055
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.
Test case has been added to cover the new default.
https://fedorahosted.org/freeipa/ticket/2461
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3089
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
|
| |
|
|
|
|
|
|
|
|
|
| |
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.
Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.
https://fedorahosted.org/freeipa/ticket/2429
|
| |
|
|
|
|
|
|
|
| |
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.
Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.
Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.
ticket 2932, 2935
|
| | |
|
| |
|
|
|
| |
localhost and localnets ACIs are now allowed. Update the respective
unit test.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2810
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.
Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.
https://fedorahosted.org/freeipa/ticket/2919
|
| |
|
|
|
|
|
| |
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).
https://fedorahosted.org/freeipa/ticket/2568
|
| |
|
|
|
|
|
|
| |
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.
https://fedorahosted.org/freeipa/ticket/3039
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.
In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.
Use ScriptError instead of NotFoundError in bindinstance install.
https://fedorahosted.org/freeipa/ticket/1953
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.
* Moved the code in del_user to the common subroutine
check_protected_member() and call it from both user_del and
user_disable. Note, unlike user_del user_disable does not have a
'pre' callback therefore the check function is called in
user_disable's execute routine.
* Make check_protected_member() aware of disabled members. It's not
sufficient to check which members of the protected group are
present, one must only consider those members which are enabled.
* Add tests to test_user_plugin.py.
- verify you cannot delete nor disable the last member of the admin
group
- verify when the admin group contains disabled users in addition to
enabled users only the enabled users are considered when
determining if the last admin is about to be disabled or deleted.
* Replace duplicated hardcoded values in the tests with variables or
subroutines, this makes the individual tests a bit more succinct and
easier to copy/modify.
* Update error msg to reflect either deleting or disabling is an error.
https://fedorahosted.org/freeipa/ticket/2979
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.
The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).
It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.
Patch also introduces new unit test to verify.
https://fedorahosted.org/freeipa/ticket/2264
|
| |
|
|
|
|
|
| |
Both commands now produce the same output regarding
the attributelevelrights.
https://fedorahosted.org/freeipa/ticket/2875
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3001
|
| |
|
|
|
|
| |
The MLS was optional in the format, it should be required.
https://fedorahosted.org/freeipa/ticket/2984
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
|
| |
|
|
|
|
|
|
| |
If the executable ipa-client/ipa-join is not found, the relevant
tests are skipped. Implemented in setUpClass() method, also moved
the mkstemp() call there.
https://fedorahosted.org/freeipa/ticket/2905
|
| |
|
|
|
|
|
| |
This fixes --addattr on single value attributes in add commands and --delattr
on non-unicode attributes in mod commands.
ticket 2954
|
| |
|
|
|
|
| |
Create a per-service default as well.
https://fedorahosted.org/freeipa/ticket/2184
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
|
| |
|
|
|
|
|
|
|
|
| |
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.
Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.
https://fedorahosted.org/freeipa/ticket/2601
|
| |
|
|
|
|
|
|
|
|
|
| |
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.
iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
|
