summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Unsaved changes dialog internally inconsistentGabe2015-05-078-27/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/4926 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix stop_tracking_certificates call in ipa-restoreJan Cholasta2015-05-071-3/+2
| | | | | | | | | CAInstance.stop_tracking_certificates() no longer has dogtag_constants argument. https://fedorahosted.org/freeipa/ticket/4775 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: enable DS global lock during upgradeMartin Basti2015-05-053-7/+37
| | | | | | https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: use LDIF parser to modify DSE.ldifMartin Basti2015-05-051-20/+165
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-0516-37/+43
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix a signedness bug in OTP codeNathaniel McCallum2015-05-051-3/+3
| | | | | | | | | This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: fix a comment in ldapupdaterMartin Basti2015-05-051-6/+1
| | | | | | | | DN sorting was removed in previous patches https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove unneeded ip-address option in ipa-adtrust-installGabe2015-05-053-41/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4575 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Server Upgrade: use ipa-server-upgrade in RPM upgradeMartin Basti2015-05-041-2/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: Verify version and platformMartin Basti2015-05-0410-35/+187
| | | | | | | | | | | | | | | | | | | | | | | | Verify version and platform before upgrade or ipactl start|restart Upgrade: * do not allow upgrade on different platforms * do not allow upgrade data with higher version than build has Start: * do not start services if platform mismatch * do not start services if upgrade is needed * do not start services if data with higher version than build has New ipactl options: --skip-version-check: do not validate IPA version --ignore-service-failures (was --force): ignore if a service start fail and continue with starting other services --force: combine --skip-version-check and --ignore-service-failures https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: ipa-server-upgrade commandMartin Basti2015-05-046-0/+128
| | | | | | | https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* suppress errors arising from deleting non-existent files during client uninstallMartin Babinsky2015-04-291-18/+22
| | | | | | | | | | | When rolling back partially configured IPA client a number of OSErrors pop up due to uninstaller trying to remove files that do not exist anymore. This patch supresses these errors while keeping them in log as debug messages. https://fedorahosted.org/freeipa/ticket/4966 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* point the users to PKI-related logs when CA configuration failsMartin Babinsky2015-04-293-5/+19
| | | | | | | | | | This patch adds an error handler which prints out the paths to logs related to configuration and installation of Dogtag/CA in the case of failure. https://fedorahosted.org/freeipa/ticket/4900 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.David Kupka2015-04-271-0/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Make lint work on Fedora 22.David Kupka2015-04-274-1/+5
| | | | | | | | | | | pylint added 'confidence' parameter to 'add_message' method of PyLinter. To be compatible with both, pre- and post- 1.4 IPALinter must accept the parameter but not pass it over. Also python3 checker was added and enabled by default. FreeIPA is still not ready for python3. Additionally few false-positives was marked. Reviewed-By: Martin Basti <mbasti@redhat.com>
* speed up indirect member processingPetr Vobornik2015-04-276-95/+81
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Lint: Skip checking of functions stolen by python-nose.David Kupka2015-04-241-2/+11
| | | | | | | python-nose modifies namespaces in a way that confuses pylint. To skip these PyCheckers' visit_callfunc method must be extended. Reviewed-By: Martin Basti <mbasti@redhat.com>
* use separate ccache filename for each IPA DNSSEC daemonMartin Babinsky2015-04-243-3/+3
| | | | | | | | | ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic 'ccache' filename for credential storage, making debugging Kerberos-related errors unnecessarily complicated. This patch renames the ccache files so that each of these daemons now has its own credenital cache. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa client: use NTP servers specified by userMartin Basti2015-04-241-9/+15
| | | | | | | | NTP servers specified by user should be used to synchronize time. https://fedorahosted.org/freeipa/ticket/4983 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: use NTP servers detected from SRVMartin Basti2015-04-241-1/+8
| | | | | | | | | Detected NTP servers from SRV records should be used in NTP client configuration. https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: make --ntp-server option multivaluedMartin Basti2015-04-243-14/+18
| | | | | | | | There can be more ntp servers in ntp.conf Required for ticket: https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Update python-yubico dependency versionNathaniel McCallum2015-04-241-2/+2
| | | | | | | | This change enables support for all current YubiKey hardware. https://fedorahosted.org/freeipa/ticket/4954 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* Remove Editable DN and DN component classesPetr Viktorin2015-04-232-1950/+1003
| | | | | | | | | | Make all DNs, RDNs and AVAs immutable. Immutability makes reasoning about DN-handling code easier, as value objects can't be changed once created. Instead of mutable DNs, one can use a list (or even a generator) of RDNs that's converted to a DN on output. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* rename_managed: Remove use of EditableDNPetr Viktorin2015-04-231-20/+32
| | | | | | This was the last use of EditableDN in IPA; the class can now be removed. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Removed recommendation from ipa-adtrust-installThorsten Scherf2015-04-211-9/+0
| | | | | | | | | | In the wiki we say it's not longer necessary to make the IPA LDAP server not reachable by any AD domain controller. To be consistence, the setup tool should reflext this statement. https://fedorahosted.org/freeipa/ticket/4977 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-209-41/+54
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-client-install: try to get host TGT several times before giving upMartin Babinsky2015-04-202-29/+48
| | | | | | | | | | | | | | New option '--kinit-attempts' enables the host to make multiple attempts to obtain host TGT from master before giving up and aborting client installation. In addition, all kinit attempts were replaced by calls to 'ipautil.kinit_keytab' and 'ipautil.kinit_password'. https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipautil: new functions kinit_keytab and kinit_passwordMartin Babinsky2015-04-201-17/+54
| | | | | | | | | | | | | kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using keytab file. Function is also able to repeat authentication multiple times before giving up and raising Krb5Error. kinit_password wraps kinit auth using password and also supports FAST authentication using httpd armor ccache. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* speed up convert_attribute_membersPetr Vobornik2015-04-201-8/+28
| | | | | | | | A workaround to avoid usage of slow LDAPEntry._sync_attr #4946 https://fedorahosted.org/freeipa/ticket/4965 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Remove IPASimpleLDAPObjectJan Cholasta2015-04-161-105/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClientJan Cholasta2015-04-161-2/+2
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Move schema handling from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-163-288/+264
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntryJan Cholasta2015-04-162-5/+14
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Move value encoding from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-162-140/+95
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* makeaci: Use LDAPClient instead of IPASimpleLDAPObjectJan Cholasta2015-04-161-11/+2
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* cainstance: Use LDAPClient instead of IPASimpleLDAPObjectJan Cholasta2015-04-161-7/+8
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_passwordJan Cholasta2015-04-161-6/+5
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient bind and unbind methods in ldap2Jan Cholasta2015-04-161-34/+28
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient bind and unbind methods in IPAdminJan Cholasta2015-04-161-19/+16
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add bind and unbind methods to LDAPClientJan Cholasta2015-04-161-0/+35
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient connection management in ldap2Jan Cholasta2015-04-161-3/+10
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient connection management in IPAdminJan Cholasta2015-04-161-12/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add connection management to LDAPClientJan Cholasta2015-04-162-10/+68
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Remove unused IPAdmin methodsJan Cholasta2015-04-161-8/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Drop python-ldap tuple compatibilityJan Cholasta2015-04-161-66/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* User life cycle: allows MODRDN from ldap2Thierry Bordaz2015-04-162-9/+28
| | | | | | | | | enhance update_entry_rdn so that is allows to move an entry a new superior https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* do not install CA on replica during integration test if setup_ca=FalseMartin Babinsky2015-04-151-1/+0
| | | | | | | | | The patch fixes bug in the construction of ipa-replica-install arguments in test_integration/tasks.install_replica. Due to this bug the replica installation during certain integration tests involved CA setup even when setup_ca was set to False. Reviewed-By: Milan Kubik <mkubik@redhat.com>
* proper client host setup/teardown in forced client reenrollment integration ↵Martin Babinsky2015-04-141-19/+24
| | | | | | | | | | test suite Replace setUp()/tearDown() methods with a pytest.fixture for proper client setup/teardown during test_forced_client_reenrollment Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* performance: faster DN implementationPetr Vobornik2015-04-142-304/+304
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | DN code was optimized to be faster if DNs are created from string. This is the major use case, since most DNs come from LDAP. With this patch, DN creation is almost 8-10x faster (with 30K-100K DNs). Second mojor use case - deepcopy in LDAPEntry is about 20x faster - done by custom __deepcopy__ function. The major change is that DN is no longer internally composed of RDNs and AVAs but it rather keeps the data in open ldap format - the same as output of str2dn function. Therefore, for immutable DNs, no other transformations are required on instantiation. The format is: DN: [RDN, RDN,...] RDN: [AVA, AVA,...] AVA: ['utf-8 encoded str - attr', 'utf-8 encode str -value', FLAG] FLAG: int Further indexing of DN object constructs an RDN which is just an encapsulation of the RDN part of open ldap representation. Indexing of RDN constructs AVA in the same fashion. Obtained EditableAVA, EditableRDN from EditableDN shares the respected lists of the open ldap repr. so that the change of value or attr is reflected in parent object. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC CI testsMartin Basti2015-04-143-8/+307
| | | | | | | | | | | | | | | Tests: * install master, replica, then instal DNSSEC on master * test if zone is signed (added on master) * test if zone is signed (added on replica) * install master with DNSSEC, then install replica * test if root zone is signed * add zone, verify signatures using our root zone https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Milan Kubik <mkubik@redhat.com>
generated by cgit (git 2.34.1) at 2025-10-03 23:15:30 +0000