freeipa.git/ipapython, branch master_keytab FreeIPA patches install: Run all validators at once. 2015-12-08T07:12:22+00:00 David Kupka dkupka@redhat.com 2015-12-07T12:35:49+00:00 2c5a662fd80f7152834dfebf45628d3a7b8a68bf Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
custodia: do not modify memberPrincipal on key update 2015-12-07T07:14:13+00:00 Jan Cholasta jcholast@redhat.com 2015-12-01T09:46:00+00:00 01ddf51df76f3298499973355c5461727e46ab5b https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipautil: use file in a temporary dir as ccache in private_ccache 2015-12-07T07:14:13+00:00 Jan Cholasta jcholast@redhat.com 2015-11-18T07:34:35+00:00 662158b781f11ac3b323142ab4cc71f7e4e23451 python-gssapi chokes on empty ccache files, so instead of creating an empty temporary ccache file in private_ccache, create a temporary directory and use a non-existent file in that directory as the ccache. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
python-gssapi chokes on empty ccache files, so instead of creating an empty
temporary ccache file in private_ccache, create a temporary directory and
use a non-existent file in that directory as the ccache.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Removed duplicate domain name validating function 2015-12-02T16:26:56+00:00 Stanislav Laznicka slaznick@redhat.com 2015-11-25T15:38:00+00:00 498471e4aed1367b72cd74d15811d0584a6ee268 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-client-install: add support for Ed25519 SSH keys (RFC 7479) 2015-12-01T08:41:52+00:00 Petr Spacek pspacek@redhat.com 2015-11-24T08:55:58+00:00 fa62480c73ccb860c8c8b4cd110b0782eb4883d5 https://fedorahosted.org/freeipa/ticket/5471 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5471

Reviewed-By: Martin Basti <mbasti@redhat.com>
Upgrade: increase time limit for upgrades 2015-12-01T07:51:44+00:00 Martin Basti mbasti@redhat.com 2015-11-18T09:31:05+00:00 2a1a3c498a71e85193af76a25333ebe9011e6b2a Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Default ldap search limit is now 30 sec by default during upgrade.

Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.

Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.

https://fedorahosted.org/freeipa/ticket/5267

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use absolute domain in detection of A/AAAA records 2015-11-25T13:13:26+00:00 Martin Basti mbasti@redhat.com 2015-11-04T15:09:21+00:00 800c7023241fd6182da300cf120870072e6ca602 Python dns resolver append configured domain to queries which may lead to false positive answer. Exmaple: resolving "ipa.example.com" may return records for "ipa.example.com.example.com" if domain is configured as "example.com" https://fedorahosted.org/freeipa/ticket/5421 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421

Reviewed-By: Petr Spacek <pspacek@redhat.com>
private_ccache: Harden the removal of KRB5CCNAME env variable 2015-11-25T12:51:10+00:00 Tomas Babej tbabej@redhat.com 2015-11-23T11:47:56+00:00 1904d7cc3ab33046428dbdcb7c6f521f9e083287 If the code within the private_ccache contextmanager does not set/removes the KRB5CCNAME, the pop method will raise KeyError, which will cause unnecessary termination of the code flow. Make sure the KRB5CCNAME is popped out of os.environ only if present. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
If the code within the private_ccache contextmanager does not
set/removes the KRB5CCNAME, the pop method will raise KeyError, which
will cause unnecessary termination of the code flow.

Make sure the KRB5CCNAME is popped out of os.environ only if present.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
install: drop support for Dogtag 9 2015-11-25T08:12:25+00:00 Jan Cholasta jcholast@redhat.com 2015-11-09T17:28:47+00:00 aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com> 
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
Do not erroneously reinit NSS in Dogtag interface 2015-11-24T09:12:24+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-23T01:09:32+00:00 6fe0a898077a74924b6ccaf6dfbaf2d166175722 The Dogtag interface always attempts to (re)init NSS, which can fail with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already been initialised with the given dbdir. Part of: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY.  Do not reinitialise NSS when it has already
been initialised with the given dbdir.

Part of: https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Jan Cholasta <jcholast@redhat.com>