freeipa.git, branch ipa-2-2 FreeIPA patches Fixed boot.ldif permission. 2012-10-10T15:06:16+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-16T22:15:26+00:00 952ffe49a67cf1692411160ad63cd26764dc77cf The server installation failed on F17 due to permission problem. The /var/lib/dirsrv/boot.ldif was previously owned and only readable by root. It is now owned by DS user dirsrv. Ticket #2544 Conflicts: ipaserver/install/dsinstance.py 
The server installation failed on F17 due to permission problem.
The /var/lib/dirsrv/boot.ldif was previously owned and only readable
by root. It is now owned by DS user dirsrv.

Ticket #2544

Conflicts:
	ipaserver/install/dsinstance.py
Fix jquery error when using '??' in a pkey 2012-09-18T11:39:04+00:00 Petr Vobornik pvoborni@redhat.com 2012-07-20T11:17:51+00:00 08e3fbb3b6c1c043feda6d72e50a8d35c482098c If '??' is used in a adder dialog as a pkey it can cause "jQuery15208158273949015573_1346241267446 was not called" error. Update of jquery library fixes the issue. Update unreveals an incorrect handler definition issue in ssh_key_widget, which is also fixed. https://bugzilla.redhat.com/show_bug.cgi?id=855278 https://fedorahosted.org/freeipa/ticket/3073 
If '??' is used in a adder dialog as a pkey it can cause "jQuery15208158273949015573_1346241267446 was not called" error.

Update of jquery library fixes the issue. Update unreveals an incorrect handler definition issue in ssh_key_widget, which is also fixed.

https://bugzilla.redhat.com/show_bug.cgi?id=855278
https://fedorahosted.org/freeipa/ticket/3073
Add support for disabling KDC writes 2012-06-07T02:11:41+00:00 Simo Sorce ssorce@redhat.com 2012-05-23T16:35:44+00:00 97e362681ff9c81d76b6b015467309f90e301bce Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734 
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
SSH configuration fixes. 2012-05-30T05:47:44+00:00 Jan Cholasta jcholast@redhat.com 2012-05-23T09:00:55+00:00 0b33b9fb3791545ab952b46c7443482a52fe6a6c Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769 
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769
Index the fqdn attribute. 2012-05-22T06:27:22+00:00 Rob Crittenden rcritten@redhat.com 2012-05-21T20:37:58+00:00 ce11a7c0e22ee8f70e14c43419f20be70176fe8c We do a search on this when installing a replica. https://fedorahosted.org/freeipa/ticket/2735 
We do a search on this when installing a replica.

https://fedorahosted.org/freeipa/ticket/2735
Check for locked-out user before incrementing lastfail. 2012-05-18T07:03:35+00:00 Rob Crittenden rcritten@redhat.com 2012-05-17T17:17:21+00:00 608d297cb9f19b80587514b7a7cfa3b686ecf3e7 If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765 
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
Fix migration code password setting. 2012-05-17T15:18:12+00:00 Simo Sorce ssorce@redhat.com 2012-05-17T14:33:43+00:00 f883b2547d887eac7976d0372f5b25d48a1b3a4d When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764 
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
Host page fixed to work with disabled DNS support 2012-05-15T10:49:07+00:00 Petr Vobornik pvoborni@redhat.com 2012-05-04T12:02:01+00:00 2c362c9079c004533bceeb55556afc6fd8a0e930 When DNS support was disabled there were following errors in Web UI: 1) Host details page was not filled with data 2) Host adder dialog was broken -> unusable 3) DNS tab was displayed in navigation The bugs were fixed by: 1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present. 2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname. 3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed. https://fedorahosted.org/freeipa/ticket/2728 
When DNS support was disabled there were following errors in Web UI:
 1) Host details page was not filled with data
 2) Host adder dialog was broken -> unusable
 3) DNS tab was displayed in navigation

The bugs were fixed by:

1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present.

2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname.

3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed.

https://fedorahosted.org/freeipa/ticket/2728
Become IPA 2.2.0 2012-05-03T00:11:41+00:00 Rob Crittenden rcritten@redhat.com 2012-05-03T00:11:41+00:00 b16d4340c4b9b9057c980284afe3f03e19bdc8cb 






Update hostname validator error messages in tests
2012-05-03T14:55:05+00:00

Petr Viktorin
pviktori@redhat.com

2012-05-03T10:47:17+00:00

8fac99634f3be38951dd2ad32ea76f2b0d0ec1b5

A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.





A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.