freeipa.git/ipaserver, branch master Unnamed repository; edit this file 'description' to name the repository. Fix incorrect check for principal type when evaluating CA ACLs 2016-07-01T11:16:23+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-01T09:55:47+00:00 0ade41abbad324d8c54449f3b1024a7651dc259d This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
This error prevented hosts to request certificates for themselves.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3 2016-07-01T09:09:53+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-30T11:01:07+00:00 3691e39a62da5134f911f6a798f79a3a2ae0c025 ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix internal errors in host-add and other commands caused by DNS resolution 2016-07-01T08:35:39+00:00 Petr Spacek pspacek@redhat.com 2016-06-30T18:41:48+00:00 5e78b54d7c532bec0ee5a4ce3f1b6d6c94d17c51 Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
Add --cn option to cert-status 2016-07-01T08:05:16+00:00 Fraser Tweedale ftweedal@redhat.com 2016-07-01T04:42:37+00:00 4844eaec197690e21c6cf44743df7f456d0e185d Add the 'cacn' option to the cert-status command. Right now there is nothing we need to (or can) do with it, but we add it anyway for future use. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the 'cacn' option to the cert-status command.  Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.

Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add widgets for kerberos aliases 2016-07-01T07:39:49+00:00 Pavel Vomacka pvomacka@redhat.com 2016-06-30T12:34:33+00:00 4bc2e3164fbc4fdbbd4ecd1d26001a5d4671dd94 Create own custom_command_multivalued_widget for kerberos aliases. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Create own custom_command_multivalued_widget for kerberos aliases.

https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Unify display of principal names/aliases across entities 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-29T12:54:54+00:00 acf2234ebc8609a35a8f45598d5d817cbdbff121 Since now users, hosts, and service all support assigning multiple principal aliases to them, the display of kerberos principal names should be consistent across all these objects. Principal aliases and canonical names will now be displayed in all add, mod, show, and find operations. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Provide API for management of host, service, and user principal aliases 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-23T18:06:42+00:00 e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...]) were added to manage principal aliases. 'add' commands will check the following: * the correct principal type is supplied as an alias * the principals have correct realm and the realm/alternative suffix (e.g. e-mail) do not overlap with those of trusted AD domains If the entry does not have canonical principal name, the first returned principal name will be set as one. This is mostly to smoothly operate on entries created on older servers. 'remove' commands will check that there is at least one principal alias equal to the canonical name left on the entry. See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases https://fedorahosted.org/freeipa/ticket/1365 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Make framework consider krbcanonicalname as service primary key 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-23T18:01:34+00:00 a28d312796839e3413c98ee37d34ccc892e85357 The framework does not allow single param to appear as both positional argument and option in a single command, or to represent two different positional arguments for that matter. Since principal aliases shall go to krbprincipalname attribute, the framework has to be tricked to believe krbcanonicalname is the service's primary key. The entry DN stored in LDAP remains the same. https://fedorahosted.org/freeipa/ticket/1365 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.

https://fedorahosted.org/freeipa/ticket/1365

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow for commands that use positional parameters to add/remove attributes 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-23T17:14:53+00:00 750a392fe22aa8ddcb21077e8c24b96d36ecf20c Commands that modify a single multivalued attribute of an entry should use positional parameters to specify both the primary key and the values to add/remove. Named options are redundant in this case. The `--certificate option` of `*-add/remove-cert` commands was turned mandatory to avoid EmptyModlist when it is omitted. https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.

The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.

https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>