freeipa.git/ipaserver, branch WIP

Fix for adtrustinstance

2012-05-08T12:27:06+00:00

Perform case-insensitive searches for principals on TGS requests

2012-04-30T15:26:24+00:00

We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577

Use a dedicated keytab for samba

2012-04-30T15:26:24+00:00

Fixes https://fedorahosted.org/freeipa/ticket/2168

Use mixed-case for Read DNS Entries permission

2012-04-23T08:00:40+00:00

https://fedorahosted.org/freeipa/ticket/2569

Raise proper exception when LDAP limits are exceeded

2012-04-17T03:23:57+00:00

ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606

Return consistent expiration message for forms-based login

2012-04-17T01:53:01+00:00

We need to inform users when a forms-based login fails due to the
password needing to be reset. Currently there is no way to distinguish
a reset case vs an incorrect password.

This will bind the user using a simple LDAP bind over ldapi (by default)
and if that is successful, check the expiration date against the current
time.

The UI portion of this that uses this message will come later.

https://fedorahosted.org/freeipa/ticket/2608

Remove the running state when uninstalling DS instances.

2012-04-17T09:25:41+00:00

We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637

Configure certmonger to execute restart scripts on renewal.

2012-04-10T05:08:41+00:00

certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050

Fix installation when server hostname is not in a default domain

2012-04-09T00:35:10+00:00

When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602

improve handling of ds instances during uninstall

2012-04-05T02:47:08+00:00

Ticket #2502

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".