freeipa.git/install, branch clisesshandling

Support 8192-bit RSA keys in default cert profile

2017-03-22T11:29:23+00:00

Update the caIPAserviceCert profile to accept 8192-bit RSA keys.
Affects new installs only, because there is not yet a facility to
update included profiles.

Fixes: https://pagure.io/freeipa/issue/6319
Reviewed-By: Tomas Krizek

man ipa-cacert-manage install needs clarification

2017-03-22T09:13:56+00:00

The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.

https://pagure.io/freeipa/issue/6795

Reviewed-By: Tomas Krizek

Increase Apache HTTPD's default keep alive timeout

2017-03-20T18:24:28+00:00

Apache has a default keep alive timeout of 5 seconds. That's too low for
interactive commands, e.g. password prompts. 30 seconds sounds like a
good compromise.

Signed-off-by: Christian Heimes 
Reviewed-By: Tomas Krizek

Add options to allow ticket caching

2017-03-16T12:10:37+00:00

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6771

Signed-off-by: Simo Sorce 
Reviewed-By: Christian Heimes 
Reviewed-By: Alexander Bokovoy

Fix Python 3 pylint errors

2017-03-15T18:11:32+00:00

************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes 
Reviewed-By: Simo Sorce 
Reviewed-By: Stanislav Laznicka

Remove allow_constrained_delegation from gssproxy.conf

2017-03-14T17:56:03+00:00

The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Simo Sorce

WebUI: Add support for management of user short name resolution

2017-03-14T17:45:29+00:00

Added field into idview details page and into server config where
the order of domains used while searching for user. Domains can
be separated by ':' character.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Simo Sorce 
Reviewed-By: Petr Vobornik

Short name resolution: introduce the required schema

2017-03-14T17:37:10+00:00

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti 
Reviewed-By: Alexander Bokovoy 
Reviewed-By: Jan Cholasta

Remove copy-schema-to-ca.py from master branch

2017-03-14T14:16:20+00:00

This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka

WebUI: add link to login page which for login using certificate

2017-03-14T14:13:43+00:00

Also add error message when login failed.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud 
Reviewed-By: Petr Vobornik 
Reviewed-By: David Kupka