freeipa.git/ipalib/plugins, branch ipasam_getkeytab FreeIPA patches Allow admins to disable preauth for SPNs. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T20:39:08+00:00 0815bec62f30850e7343e03fb26cc591a8666637 Some legacy softare is not able to properly cope with preauthentication, allow the admins to disable the requirement to use preauthentication for all Service Principal Names if they so desire. IPA Users are excluded, for users, which use password of lessere entrpy, preauthentication is always required by default. This setting does NOT override explicit policies set on service principals or in the global policy, it only affects the default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3860 
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Disable User's ability to use the setkeytab exop. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 9ffd619f8c278d72d55aacae2667ddb28eab6d0e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Introduce option to disable the SetKeytab exop 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T18:42:10+00:00 bde182421226bb32ab676c13a85bc95a2572f322 If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
If DisableSetKeytab is set in ipaConfig options then setkeytab will not be
available. The default is still to allow this operation for backwards
compatibility towards older clients that do not know how to use the new
GetKeytab extended operation.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Removed duplicate domain name validating function 2015-12-02T16:26:56+00:00 Stanislav Laznicka slaznick@redhat.com 2015-11-25T15:38:00+00:00 498471e4aed1367b72cd74d15811d0584a6ee268 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
topology: replace "suffices" with "suffixes" 2015-12-01T08:30:21+00:00 Jan Cholasta jcholast@redhat.com 2015-11-27T07:07:57+00:00 4d24d8b26cd720f2ac24d05cbb00fd69ebd675a9 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server: use topologysuffix name in iparepltopomanagedsuffix 2015-12-01T08:30:21+00:00 Jan Cholasta jcholast@redhat.com 2015-11-30T09:25:01+00:00 46ae52569a179f73b1445922f7bac993d598c953 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Upgrade: increase time limit for upgrades 2015-12-01T07:51:44+00:00 Martin Basti mbasti@redhat.com 2015-11-18T09:31:05+00:00 2a1a3c498a71e85193af76a25333ebe9011e6b2a Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Default ldap search limit is now 30 sec by default during upgrade.

Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.

Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.

https://fedorahosted.org/freeipa/ticket/5267

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
topology: treat server suffix as multivalued attribute in API 2015-11-27T14:56:59+00:00 Petr Vobornik pvoborni@redhat.com 2015-10-29T18:01:09+00:00 c688954c27c219cb18aff968fc1f510afff93981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
webui: topology graph facet 2015-11-27T14:50:56+00:00 Petr Vobornik pvoborni@redhat.com 2015-11-12T17:28:01+00:00 68f6c2c7dc1277d9efd3e729a924d4c9cadc90ec https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4286

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Compare objectclasses as case insensitive in baseuser.py 2015-11-25T13:56:30+00:00 Martin Basti mbasti@redhat.com 2015-11-17T10:43:57+00:00 6bbde3e0f7d661fa559ed5e3365381d2ba113dce Objectclasses must be handled as case insensitive. https://fedorahosted.org/freeipa/ticket/5456 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Objectclasses must be handled as case insensitive.

https://fedorahosted.org/freeipa/ticket/5456

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>