freeipa.git/daemons, branch ccachesess FreeIPA patches Use RemoveOnStop to cleanup systemd sockets 2017-02-17T14:19:07+00:00 Nathaniel McCallum npmccallum@redhat.com 2017-02-17T14:10:14+00:00 d05d1115e409962fee3576a4bfc5cecfacef4fd3 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-kdb: support KDB DAL version 6.1 2017-02-15T13:24:05+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-01-24T09:02:30+00:00 593ea7da9a732647052cb56c08ad367e40be3912 DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure within the principal structure. As result, FreeIPA KDB driver was leaking memory with DAL version 6.0 (krb5 1.15). DAL version 6.1 added a special callback for freeing e_data structure. See details at krb5/krb5#596 Restructure KDB driver code to provide this callback in case we are built against DAL version that supports it. For DAL version prior to 6.0 use this callback in the free_principal callback to tidy the code. Use explicit KDB version dependency in Fedora 26+ via BuildRequires. With new DAL version, freeipa package will fail to build and we'll have to add a support for new DAL version explicitly. https://fedorahosted.org/freeipa/ticket/6619 Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Clean / ignore make check artefact 2017-01-18T08:19:15+00:00 Christian Heimes cheimes@redhat.com 2017-01-09T10:23:32+00:00 d8343a96dd206c9f25cf032a50f3b48fb8166db1 In tree runs of make check leave some artifacts around. The patch adds them to make clean and .gitignore. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-kdb: search for password policies globally 2016-12-15T16:32:33+00:00 Alexander Bokovoy abokovoy@redhat.com 2016-12-15T14:30:00+00:00 73f33569c8893610e246b2f44a7aeaec872b37e6 With the CoS templates now used to create additional password policies per object type that are placed under the object subtrees, DAL driver needs to search for the policies in the whole tree. Individual policies referenced by the krbPwdPolicyReference attribute are always searched by their full DN and with the base scope. However, when KDC asks a DAL driver to return a password policy by name, we don't have any specific base to search. The original code did search by the realm subtree. Fixes https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Build: properly integrate ipa-version.h.in into build system 2016-11-29T14:28:24+00:00 Petr Spacek pspacek@redhat.com 2016-11-22T11:32:27+00:00 ba6ae666acaf8b930d18f45efc7c9c9faad3526b AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com> 
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipautil: move kinit functions to ipalib.install 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-23T16:40:47+00:00 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipapython: move dnssec, p11helper and secrets to ipaserver 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-22T16:55:10+00:00 a1f260d021bf5d018e634438fde6b7c81ebbbcef The dnssec and secrets subpackages and the p11helper module depend on ipaplatform. Move them to ipaserver as they are used only on the server. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
IPA Allows Password Reuse with History value defined when admin resets the password. 2016-11-24T16:01:02+00:00 Thierry Bordaz tbordaz@redhat.com 2016-10-19T13:04:13+00:00 c223130d5f429278202aaf8bf87af53911a3b448 When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
When admin reset a user password, history of user passwords is
preserved according to its policy.

https://fedorahosted.org/freeipa/ticket/6402

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add main guards to a couple of Python scripts 2016-11-24T15:35:43+00:00 Christian Heimes cheimes@redhat.com 2016-11-17T16:48:06+00:00 a8376a244758494db31341442bc2163e1807b7ac Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>