| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Sometimes the lock table would run out of available locks. This should
improve the lock table default configuration.
https://fedorahosted.org/freeipa/ticket/5914
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the existing remote server API to create service entries instead of a
client API.
This fixes a crash during replica promotion due to unavailable schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5619
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4026
When a replica needs to extend its DNA range, it selects the remote replica with the
larger available range. If there is no replica agreement to that remote replica,
the shared config entry needs to contain the connection method/protocol.
This fix requires 389-ds
* https://fedorahosted.org/389/ticket/47779
* https://fedorahosted.org/389/ticket/48362
That are both fixed in 1.3.4.6
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Regression caused by commit 9818e463f5d0a91b300801ee7c8f31f25de402b2,
admin_conn should be connected in method if there is no connection.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
Configure certmonger to start tracing certificate for DS.
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).
All trusts added when plugins configuration was broken must be re-added.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
DS instance install should fail immediately after setup-ds.pl fail.
tickets: #2539, #3720, #5607
https://fedorahosted.org/freeipa/ticket/2539
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
Enables check and removes extra pass statement from code.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5441
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Replica does not need to have A/AAAA records during install, so we
cannot enforce it and service must be added with --force option.
https://fedorahosted.org/freeipa/ticket/5420
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall
https://fedorahosted.org/freeipa/ticket/5243
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
This patch cleans up an unused parameter and fixes the return value when
'ipaDomainLevel' is found: instead of a dict we should return an integer.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to user modify configuration changes of the directory server
instance during installation of DS
https://fedorahosted.org/freeipa/ticket/4949
Also fixes:
https://fedorahosted.org/freeipa/ticket/4048
https://fedorahosted.org/freeipa/ticket/1930
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This can be used only locally on an existing master (uses ldapi).
Useful to check the domain_level in scripts before the api is
initialized and/or credentials are available.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
trigger topology updaet if suffix entry is added
trigger topology update if managedSuffix is modified in host entry
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
servers.
Ticket: https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
| |
If we stop or restart the server insure admin_conn gets reset or other
parts may fail to properly connect/authenticate
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Sasl mappings can be created directly by the DS Instance, there is
no reason to create them in the krbinstance as they do not depend on
the kdc to be configured just to be created.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
In Python 3, implicit relative imports will not be supported.
Use fully-qualified imports everywhere.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If configuration entries already exist, upgrade will not add them
again.
https://fedorahosted.org/freeipa/ticket/5151
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin
https://fedorahosted.org/freeipa/ticket/5097
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The certprofile object class is used to track IPA-managed
certificate profiles in Dogtag and store IPA-specific settings.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5018
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* Prevent to continue with upgrade if a fatal error happened
* Use exceptions to handle failures
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4925
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To avoid cyclic imports realm_to_serverid function had to be moved to
installutils from dsinstance.
Required for: https://fedorahosted.org/freeipa/ticket/4925
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify version and platform before upgrade or ipactl start|restart
Upgrade:
* do not allow upgrade on different platforms
* do not allow upgrade data with higher version than build has
Start:
* do not start services if platform mismatch
* do not start services if upgrade is needed
* do not start services if data with higher version than build has
New ipactl options:
--skip-version-check: do not validate IPA version
--ignore-service-failures (was --force): ignore if a service start fail
and continue with starting other services
--force: combine --skip-version-check and --ignore-service-failures
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add 'plugin' directive
* specify plugins order in update files
* remove 'run plugins' options
* use ldapupdater API instance in plugins
* add update files representing former PreUpdate and PostUpdate order of plugins
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to https://fedorahosted.org/freeipa/ticket/4487.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
https://fedorahosted.org/freeipa/ticket/4585
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4399
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
