freeipa.git/install/updates, branch WIP Unnamed repository; edit this file 'description' to name the repository. Perform case-insensitive searches for principals on TGS requests 2012-04-30T15:26:24+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-03-26T11:23:42+00:00 3c8876c3587c86de9684afe882965d40f1c75847 We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577 
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
Return consistent value when hostcat and usercat is all. 2012-04-08T20:54:32+00:00 Rob Crittenden rcritten@redhat.com 2012-04-05T14:03:04+00:00 7471ba22370626b26413c0f861c4ebb4a7128948 We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192 
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.

This requires slapi-nis 0.40+

https://fedorahosted.org/freeipa/ticket/2192
Amend permissions for new DNS attributes 2012-03-26T03:58:24+00:00 Martin Kosek mkosek@redhat.com 2012-03-14T09:38:33+00:00 b944ad44b5ac66a253b28613cf0b722c4d4ad444 New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510 
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510
Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. 2012-03-26T12:26:10+00:00 Rob Crittenden rcritten@redhat.com 2012-03-22T21:19:01+00:00 a735420a9ba3d507855a75a1a48f79a2358c7081 If minssf is set in configuration and this is not set then clients won't be able to detect the available namingContexts, defaultNamingContext, capabilities, etc. https://fedorahosted.org/freeipa/ticket/2542 
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542
Fix nsslapd-anonlimitsdn dn in cn=config 2012-03-13T07:34:07+00:00 Rob Crittenden rcritten@redhat.com 2012-03-07T22:59:19+00:00 f5e5bf8f82ba2051ace5fc5f29d7bf25631e0a2c The dn value needs to be quoted otherwise it is interpreted to be a multi-value. This will replace whatever value is currently set. https://fedorahosted.org/freeipa/ticket/2452 
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.

This will replace whatever value is currently set.

https://fedorahosted.org/freeipa/ticket/2452
Add support for sudoOrder 2012-03-02T02:02:33+00:00 Rob Crittenden rcritten@redhat.com 2012-03-01T19:02:28+00:00 d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314 
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
Fix nested netgroups in NIS. 2012-02-29T15:01:58+00:00 Rob Crittenden rcritten@redhat.com 2012-02-29T02:50:15+00:00 c48d34fa433e9472d196b0258cac16934a1dae48 We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359 
We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.

https://fedorahosted.org/freeipa/ticket/2359
Add support defaultNamingContext and add --basedn to migrate-ds 2012-02-29T14:28:13+00:00 Rob Crittenden rcritten@redhat.com 2012-01-30T21:29:32+00:00 e889b82599ddd939ed2a65b0011d5807c587cf05 There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314 
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
Global DNS options 2012-02-24T08:40:40+00:00 Martin Kosek mkosek@redhat.com 2012-02-10T11:54:49+00:00 2cf58937615c28527d1c78f883dad8726331c6df Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216 
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
Update schema for bind-dyndb-ldap 2012-02-24T08:40:36+00:00 Martin Kosek mkosek@redhat.com 2012-02-24T08:35:12+00:00 1816643a43802ca2a353930cb2bbb2781b39c80f Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072 
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072