freeipa.git/ipapython, branch WIP

Configure certmonger to execute restart scripts on renewal.

2012-04-10T05:08:41+00:00

certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050

Parse zone indices in IPv6 addresses in CheckedIPAddress.

2012-03-27T10:03:16+00:00

If a zone index is present in an IPv6 address, it is ignored.

ticket 2138

Wait for child process to terminate after receiving SIGINT in ipautil.run.

2012-03-23T09:53:02+00:00

Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.

https://fedorahosted.org/freeipa/ticket/2127

Fix NSS no_init in the NSSHTTPS class

2012-03-05T01:03:21+00:00

Do kinit in client before connecting to backend

2012-03-04T22:23:01+00:00

The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478

Add support defaultNamingContext and add --basedn to migrate-ds

2012-02-29T14:28:13+00:00

There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314

Make sure the nolog argument to ipautil.run is not a bare string

2012-02-27T04:26:54+00:00

ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.

This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.

https://fedorahosted.org/freeipa/ticket/2419

Don't run restorecon if SELinux is disabled or not present.

2012-02-27T16:37:08+00:00

Also check for the existence of restorecon. This may be overkill but
it will prevent a client installation from failing for no good reason.

https://fedorahosted.org/freeipa/ticket/2368

Sanitize UDP checks in conncheck

2012-02-26T23:08:59+00:00

UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master->replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062

Remove unused kpasswd.keytab and ldappwd files if they exist.

2012-02-27T13:48:26+00:00

These were used by ipa_kpasswd and krb5-server-ldap respectivily.

https://fedorahosted.org/freeipa/ticket/2397