freeipa.git/install/updates, branch review FreeIPA patches Convert ipa-sam to use the new getkeytab control 2015-12-09T19:59:12+00:00 Simo Sorce simo@redhat.com 2015-12-01T18:43:35+00:00 6e31ab4b62d0fc6f2b2bef79d7914d7c06cac49c Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
aci: allow members of ipaservers to set up replication 2015-12-07T07:14:13+00:00 Jan Cholasta jcholast@redhat.com 2015-11-13T07:15:55+00:00 e137f305edf2a107b06a00b05b06464b8707ab82 Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.

A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: replace per-server ACIs with ipaserver-based ACIs 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:44:59+00:00 7b9a97383ce4090d30e624fc8b7263d6c5f1b823 https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: add IPA servers host group 'ipaservers' 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:42:38+00:00 a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
rename topology suffixes to "domain" and "ca" 2015-12-04T11:59:21+00:00 Petr Vobornik pvoborni@redhat.com 2015-11-27T16:00:23+00:00 517aa84569ae144a8b781ef7ad67e356d9021757 https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add profiles and default CA ACL on migration 2015-11-24T09:12:24+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-23T01:09:32+00:00 620036d26e98fdcefff00168e9e5463a8257d49c Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
custodia: ipa-upgrade failed on replica 2015-11-05T10:46:48+00:00 Gabe redhatrises@gmail.com 2015-11-05T02:09:58+00:00 1e91ef33b522c3b316c7917379e56c168b1e2d52 - Add 73-custodia.update to install/updates/Makefile.am https://fedorahosted.org/freeipa/ticket/5374 Reviewed-By: Martin Basti <mbasti@redhat.com> 
- Add 73-custodia.update to install/updates/Makefile.am

https://fedorahosted.org/freeipa/ticket/5374

Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove 50-lockout-policy.update file 2015-10-30T13:20:16+00:00 Gabe redhatrises@gmail.com 2015-10-30T12:27:11+00:00 7ef827eeb6b65af8915019bac82932a2c831fc95 Remove lockout policy update file because all currently supported versions have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more scrict policy in environments subject to regulatory compliance https://fedorahosted.org/freeipa/ticket/5418 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.

Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance

https://fedorahosted.org/freeipa/ticket/5418

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
topology plugin configuration workaround 2015-10-15T12:24:33+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-23T12:56:12+00:00 80e11d24696c30ee311bd019ed39df8fc0f908a2 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
enable topology plugin on upgrade 2015-10-15T12:24:33+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-31T14:22:13+00:00 834b5fd513d799bb9fe2cbc29417ff8ec7357033 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>