freeipa.git/install/share, branch review FreeIPA patches Allow to specify Kerberos authz data type per user 2015-12-09T19:59:12+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:01:52+00:00 f21c88b9f74453c6d6e16fb17d94efa469eed564 Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579 
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Disable User's ability to use the setkeytab exop. 2015-12-08T15:09:28+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 3aca4469af228bdc78c194751f0d19b6454e9f3e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Use only AES enctypes by default 2015-12-08T15:09:28+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 3571184429c9bef9aa2b8831f3c27793b64e8024 Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
aci: replace per-server ACIs with ipaserver-based ACIs 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:44:59+00:00 7b9a97383ce4090d30e624fc8b7263d6c5f1b823 https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: add IPA servers host group 'ipaservers' 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:42:38+00:00 a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
rename topology suffixes to "domain" and "ca" 2015-12-04T11:59:21+00:00 Petr Vobornik pvoborni@redhat.com 2015-11-27T16:00:23+00:00 517aa84569ae144a8b781ef7ad67e356d9021757 https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Sync kerberos LDAP schema with upstream. 2015-12-03T15:02:55+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:38:08+00:00 5ed1b844dcb7d4a57a7067eef63b644df47bd740 All the new attributes are unused for now, but this allows us to keep tailing upstream in case of other useful changes later on. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2086 Reviewed-By: Martin Basti <mbasti@redhat.com> 
All the new attributes are unused for now, but this allows us to keep tailing
upstream in case of other useful changes later on.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2086
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add profiles and default CA ACL on migration 2015-11-24T09:12:24+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-23T01:09:32+00:00 620036d26e98fdcefff00168e9e5463a8257d49c Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Drop configure.jar 2015-11-13T13:02:45+00:00 Martin Basti mbasti@redhat.com 2015-10-27T14:36:55+00:00 19044e87ac54200b7710b8ec5405175c3d749e76 Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Allow to setup the CA when promoting a replica 2015-10-15T12:24:33+00:00 Simo Sorce simo@redhat.com 2015-08-07T19:14:58+00:00 2606f5aecd6ac0db31abb515b691529bb7eaf14e This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>