freeipa.git/install, branch review FreeIPA patches Convert ipa-sam to use the new getkeytab control 2015-12-09T19:59:12+00:00 Simo Sorce simo@redhat.com 2015-12-01T18:43:35+00:00 6e31ab4b62d0fc6f2b2bef79d7914d7c06cac49c Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Allow to specify Kerberos authz data type per user 2015-12-09T19:59:12+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:01:52+00:00 f21c88b9f74453c6d6e16fb17d94efa469eed564 Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579 
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Disable User's ability to use the setkeytab exop. 2015-12-08T15:09:28+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 3aca4469af228bdc78c194751f0d19b6454e9f3e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Use only AES enctypes by default 2015-12-08T15:09:28+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 3571184429c9bef9aa2b8831f3c27793b64e8024 Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
replica promotion: use host credentials when setting up replication 2015-12-07T07:14:13+00:00 Jan Cholasta jcholast@redhat.com 2015-11-18T07:51:34+00:00 c2af4095177d5c884a58917b7ad5b13dc782cc51 Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Use the local host credentials rather than the user credentials when
setting up replication. The host must be a member of the ipaservers host
group. The user credentials are still required for connection check.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: allow members of ipaservers to set up replication 2015-12-07T07:14:13+00:00 Jan Cholasta jcholast@redhat.com 2015-11-13T07:15:55+00:00 e137f305edf2a107b06a00b05b06464b8707ab82 Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.

A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: replace per-server ACIs with ipaserver-based ACIs 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:44:59+00:00 7b9a97383ce4090d30e624fc8b7263d6c5f1b823 https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
aci: add IPA servers host group 'ipaservers' 2015-12-07T07:13:23+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:42:38+00:00 a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
check whether replica exists before executing the domain level 1 deletion code 2015-12-04T22:09:50+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-18T12:12:50+00:00 ee853a3d35701d1d799f902f823b8a8cedb90013 Move this check before the parts that check topology suffix connectivity, wait for removed segments etc. If the hostname does not exist, it should really be one of the first errors user encounters during ipa-replica-manage del. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Move this check before the parts that check topology suffix connectivity, wait
for removed segments etc. If the hostname does not exist, it should really be
one of the first errors user encounters during ipa-replica-manage del.

https://fedorahosted.org/freeipa/ticket/5424

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
add '--auto-forwarders' description to server/replica/DNS installer man pages 2015-12-04T22:03:22+00:00 Martin Babinsky mbabinsk@redhat.com 2015-12-04T19:09:46+00:00 0997f6b9aadfe996a02004b4f3d03411ff5d141c https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5438

Reviewed-By: Martin Basti <mbasti@redhat.com>