freeipa.git/install, branch ipasam_getkeytab FreeIPA patches Convert ipa-sam to use the new getkeytab control 2015-12-03T13:19:14+00:00 Simo Sorce simo@redhat.com 2015-12-01T18:43:35+00:00 b384d65b20f88c11ac9dd637ea54ea35bbe636a6 Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Sync kerberos LDAP schema with upstream. 2015-12-02T21:14:04+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:38:08+00:00 5418bca451b8785141d615855fc41931ceef5b5d All the new attributes are unused for now, but this allows us to keep tailing upstream in case of other useful changes later on. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2086 
All the new attributes are unused for now, but this allows us to keep tailing
upstream in case of other useful changes later on.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2086
Allow to specify Kerberos authz data type per user 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:01:52+00:00 66c5082caaba5bbcbab7e3ca6ae7ef2f6c786e43 Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579 
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Disable User's ability to use the setkeytab exop. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 9ffd619f8c278d72d55aacae2667ddb28eab6d0e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Use only AES enctypes by default 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 c6264b4344021b368077ffd2fee70f8541c2953f Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
implement domain level 1 specific topology checks into IPA server uninstaller 2015-12-02T13:10:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-19T16:58:44+00:00 b8c619a7139bd7b65caa03b68431e22791ff19bf When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
When uninstalling domain level 1 master its removal from topology is checked
on remote masters. The uninstaller also checks whether the uninstallation
disconnects the topology and if yes aborts the procedure. The
'--ignore-disconnected-topology' options skips this check.

https://fedorahosted.org/freeipa/ticket/5377
https://fedorahosted.org/freeipa/ticket/5409

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
extract domain level 1 topology-checking code from ipa-replica-manage 2015-12-02T13:10:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-19T16:55:23+00:00 8d4b14e0ce33baed5f237175ef2a853538ead0a8 This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
This facilitates reusability of this code in other components, e.g. IPA server
uninstallers.

https://fedorahosted.org/freeipa/ticket/5409

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
translations: Update ipa.pot file 2015-12-02T11:40:48+00:00 Tomas Babej tbabej@redhat.com 2015-12-02T10:16:11+00:00 f72f8c1ad04847e4d0f24b50c76a583bd6fe5a86 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Fixed small typo in stage-user documentation 2015-12-02T07:28:43+00:00 Abhijeet Kasurde akasurde@redhat.com 2015-12-02T06:23:32+00:00 9a73c20763da42b331b73d7b716a1ea38f00a680 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
fix 'iparepltopomanagedsuffix' attribute consumers 2015-12-01T12:47:14+00:00 Martin Babinsky mbabinsk@redhat.com 2015-12-01T11:14:07+00:00 525f6281d820ba7d3be780127d79a62221c5f1ad Commit 46ae52569a179f73b1445922f7bac993d598c953 reimplemented reporting of managed topology suffixes in server-find/show commands using membership attributes. This patch fixes consumers of this attribute in ipa-replica-manage command and webui to reflect this change. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Commit 46ae52569a179f73b1445922f7bac993d598c953 reimplemented reporting of
managed topology suffixes in server-find/show commands using membership
attributes. This patch fixes consumers of this attribute in ipa-replica-manage
command and webui to reflect this change.

Reviewed-By: Martin Basti <mbasti@redhat.com>