| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)
In addition make sure that slapi-nis has a low precedence
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
`ipa-replica-manage del` will now call `server_del` behind the scenes when a
removal of replica from managed topology is requested. The existing removal
options were mapped on the server_del options to maintain backwards
compatibility with earlier versions.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes <principal>@<master hostname> \
echo OK
The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal admin@EXAMPLE.COM).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.
The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes -o User=<principal> \
<master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master
https://fedorahosted.org/freeipa/ticket/5812
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Store some parts of DNS configuration in LDAP tree instead of named.conf
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The option server_id is required for DNS location feature, otherwise it
will not work.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
New commands for manipulation with DNS server configuration were added:
* dnsserver-show
* dnsserver-mod
* dnsserver-find
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Objectclass: idnsServerConfigObject - stores configuration values for
DNS servers
Attributetype: idnsServerId - identifier of dns server (server hostname)
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The path how to get IPA domain in code was somehow obfuscated, this
patch simplifies and make clear what happened there with domain name.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
use the dns_update_system_records command to set proper DNS records
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The objectclass and its related is used for generating cname records
inside bind-dyndb-ldap, see design for more details
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
For performace ipalocation should be indexed because it is used by
referint plugin
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add field for choosing CA when issuing new certificate. Add new item to action menu
on cert details page which allows user to download the certificate as file.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Whole new entity for CAs.
https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The request dialog is not closed directly after clicking 'Issue' button, but only
after successful issuing or after clicking 'Close' button. So, the user can check
inputed data.
https://fedorahosted.org/freeipa/ticket/5652
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add attribute 'disable_search_field' which hides search field on search or
nested_search facet.
Part of: https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds new tab on topology page which shows server roles. Also extends
server details page and server config page (setting of ca renewal server).
https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There is new attribute of table facet which allows to set which column of
table will be its primary key. This patch also move some code into separate
method - it will be easier to overide some functionality in child classes.
Part of: https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
When it is read only it does not show Add and Delete buttons.
Part of: https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Setting string here was causing search for substring instead of search for value
in tuple or list.
https://fedorahosted.org/freeipa/ticket/5945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch removes comma at the end of list, just because of jslint warning.
It does not have any impact on functionality.
https://fedorahosted.org/freeipa/ticket/5937
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5904
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5937
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx
https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.
This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.
Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Part of https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 185806432d6dfccc5cdd73815471ce60a575b073.
The wrong version of patch has been pushed.
https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
Attributes tables are added on host and service pages.
https://fedorahosted.org/freeipa/ticket/5931
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
WebUI part of DNS Location feature.
https://fedorahosted.org/freeipa/ticket/5905
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The new attribute of the adapter contains the name of record which will be
extracted from API call result.
Part of: https://fedorahosted.org/freeipa/ticket/5905
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There was a problem with finding correct DNS zone. It found a first substring match.
Therefore when there was location 0.10.10.in-addr.arpa. and 110.10.10.in-addr.arpa
the location for IP address 10.10.110.1 was the first one, which is incorrect. Now
it finds the second one, because it finds the longest match.
https://fedorahosted.org/freeipa/ticket/5796
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys. Add an ACI to permit this.
Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
The certmonger renewal helper needs to load server plugins to
operate. Initialise the API with in_server=True.
Fixes: https://fedorahosted.org/freeipa/ticket/5943
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add custom_checkbox_widget on service page. The old aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.
https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.
https://fedorahosted.org/freeipa/ticket/5645
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
The original fix was efective only on new installations.
https://fedorahosted.org/freeipa/ticket/5833
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly
https://fedorahosted.org/freeipa/ticket/5912
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To be consistent with CLI the restoring certificate is renamed to
removing certificate hold in all WebUI components.
https://fedorahosted.org/freeipa/ticket/5878
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also remove the dojo/_base/lang module in cases it is not needed any more.
https://fedorahosted.org/freeipa/ticket/5702
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add 'stage' option to the activity dropdown menu on preserved user details page.
https://fedorahosted.org/freeipa/ticket/5371
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add 'Stage' button on search page where preserved users are listed.
https://fedorahosted.org/freeipa/ticket/5371
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Locations should be removed from server by using server-mod during
location-del (future patches will handle DNS records in server-mod)
Referint plugin is configured to remove references of deleted locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
http://www.freeipa.org/page/V4/DNS_Location_Mechanism
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
http://www.freeipa.org/page/V4/DNS_Location_Mechanism
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
