freeipa.git/ipaplatform, branch kdc-fixes FreeIPA patches DNS: check if DNS package is installed 2015-07-21T15:30:10+00:00 Martin Basti mbasti@redhat.com 2015-07-01T13:05:45+00:00 92828d3cf50e00fe75ebf3ec9e0edc8b9c8eae35 Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipaplatform: Add constants submodule 2015-07-21T15:29:33+00:00 Tomas Babej tbabej@redhat.com 2015-07-02T10:38:43+00:00 a487e42d3fb71ceb3128fb9a2055a5586c4ed851 Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
cermonger: Use private unix socket when DBus SystemBus is not available. 2015-07-20T14:28:09+00:00 David Kupka dkupka@redhat.com 2015-07-07T13:49:27+00:00 2defc486ab21f371b67bd93061ccc772d2c91282 https://fedorahosted.org/freeipa/ticket/5095 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNSSEC: allow to disable/replace DNSSEC key master 2015-07-07T06:37:15+00:00 Martin Basti mbasti@redhat.com 2015-05-13T12:45:32+00:00 e151492560db25fa13c2a3edf5e2139dc6629047 This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
ipaplatform: Remove redundant definitions 2015-07-02T11:04:23+00:00 Tomas Babej tbabej@redhat.com 2015-07-02T11:00:08+00:00 ccbf2678725949c527a99cb8c36a1fc9cc1b884f The variables path_namespace and task_namespace in the base platform are not used anywhere in the rest of the codebase and are just debris from previous implementation. This patch removes them. Reviewed-By: Tomas Babej <tbabej@redhat.com> 
The variables path_namespace and task_namespace in the base platform
are not used anywhere in the rest of the codebase and are just
debris from previous implementation.

This patch removes them.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipaplatform: Do not use MagicDict for KnownServices 2015-07-01T13:05:30+00:00 Jan Cholasta jcholast@redhat.com 2015-06-22T11:28:09+00:00 e9c9e3f009347d356f4d59701321888e7f00fb94 https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Clear SSSD caches when uninstalling the client 2015-06-30T10:59:19+00:00 Gabe redhatrises@gmail.com 2015-06-05T17:27:46+00:00 37729936dd6fe9c3396cbb8a682a4674af8b5537 https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5049

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Rate-limit while loop in SystemdService.is_active(). 2015-06-29T11:39:07+00:00 Petr Spacek pspacek@redhat.com 2015-06-26T13:55:12+00:00 ee84c6ae78b55fc097cd586129f2d94eef22ab0a Previously is_active() was frenetically calling systemctl is_active in tight loop which in fact made the process slower. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Previously is_active() was frenetically calling systemctl is_active in
tight loop which in fact made the process slower.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use 389-ds centralized scripts. 2015-06-11T11:16:06+00:00 David Kupka dkupka@redhat.com 2015-04-01T15:27:36+00:00 4d05b5d18da84c1e9cc89e9d3c3432261863837a Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.

https://fedorahosted.org/freeipa/ticket/4051

Reviewed-By: Martin Basti <mbasti@redhat.com>