freeipa.git/install/updates, branch kdc-fixes FreeIPA patches DNS: Consolidate DNS RR types in API and schema 2015-07-21T15:18:29+00:00 Martin Basti mbasti@redhat.com 2015-07-15T07:44:07+00:00 5ea41abe9836c94579115f9b220a8205b15d520d * Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API: These records never worked, they dont have attributes in schema. TSIG and TKEY are meta-RR should not be in LDAP TA is not supported by BIND NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be in LDAP. *! SIG, NSEC are already defined in schema, must stay in API. * Add HINFO, MINFO, MD, NXT records to API as unsupported records These records are already defined in LDAP schema * Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records These records were defined in IPA API as unsupported, but schema definition was missing. This causes that ACI cannot be created for these records and dnszone-find failed. (#5055) https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
upgrade: Enable and start oddjobd if adtrust is available 2015-07-08T15:14:56+00:00 Tomas Babej tbabej@redhat.com 2015-07-08T13:45:18+00:00 9c5df3cf76c921d268e7892ef9d9e7a7d2ad89f9 If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T17:56:12+00:00 5025204175fad221a74befa7dc52087fcd0751c6 Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Add ACI to allow hosts to add their own services 2015-06-29T11:41:52+00:00 Rob Crittenden rcritten@redhat.com 2015-06-09T15:26:32+00:00 ce50630d5ece036e35d8e11db8383e4e7e9159ae Use wildcards and DN matching in an ACI to allow a host that binds using GSSAPI to add a service for itself. Set required version of 389-ds-base to 1.3.4.0 GA. https://fedorahosted.org/freeipa/ticket/4567 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.

Set required version of 389-ds-base to 1.3.4.0 GA.

https://fedorahosted.org/freeipa/ticket/4567

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix indicies ntUserDomainId, ntUniqueId 2015-06-29T11:40:29+00:00 Martin Basti mbasti@redhat.com 2015-06-26T15:14:41+00:00 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 ntUserDomainId and ntUniqueId contained "eq,pres" index value, which is not valid. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
ntUserDomainId and ntUniqueId  contained "eq,pres" index value, which is
not valid.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Server Upgrade: create default config for NIS Server plugin 2015-06-18T15:48:36+00:00 Martin Basti mbasti@redhat.com 2015-06-11T11:59:09+00:00 20ffd4b61434e2630bf6512170a213767ff8d679 Plugin is disabled by default. This commit prevents false positive upgrade errors. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Plugin is disabled by default.

This commit prevents false positive upgrade errors.

Reviewed-By: Martin Basti <mbasti@redhat.com>
add DS index for userCertificate attribute 2015-06-18T13:42:03+00:00 Martin Babinsky mbabinsk@redhat.com 2015-06-16T11:20:15+00:00 3bea4418089dc97136040cfc58157a77aea8b0aa 'eq' and 'pres' indices for userCertificate attribute allow for more efficient lookup and matching of binary certificates assigned to users, hosts, and services. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Martin Basti <mbasti@redhat.com> 
'eq' and 'pres' indices for userCertificate attribute allow for more efficient
lookup and matching of binary certificates assigned to users, hosts, and
services.

Part of http://www.freeipa.org/page/V4/User_Certificates

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNS: add UnknownRecord to schema 2015-06-18T12:37:28+00:00 Martin Basti mbasti@redhat.com 2015-05-22T10:39:08+00:00 3ababb763b93af4012705d59d2f55801d172835c defintion of UnknownRecord attributetype https://fedorahosted.org/freeipa/ticket/4939 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
defintion of UnknownRecord attributetype

https://fedorahosted.org/freeipa/ticket/4939

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add CA ACL plugin 2015-06-11T10:50:31+00:00 Fraser Tweedale ftweedal@redhat.com 2015-05-25T12:39:07+00:00 bc0c60688505968daf6851e3e179aab20e23af7d Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
add entries required by topology plugin on update 2015-06-11T10:10:40+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-04T14:27:51+00:00 99ce650b59dbf9da7dc95f1cade91fcfa55b8375 These entries were not added on upgrade from old IPA servers and on replica creation. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
These entries were not added on upgrade from old IPA servers and on replica
creation.

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>