freeipa.git/ipaserver/plugins, branch mindatefix FreeIPA patches schema: Fix subtopic -> topic mapping 2016-07-15T12:02:17+00:00 David Kupka dkupka@redhat.com 2016-07-14T08:15:59+00:00 92dea9b186611f7f1ba8aa5952b4cfdc363d75b8 https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Preserve user principal aliases during rename operation 2016-07-15T11:51:03+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-01T16:09:04+00:00 2f02ffed03beac43b26e8521eff87b9489a746f9 When a MODRDN is performed on the user entry, the MODRDN plugin resets both krbPrincipalName and krbCanonicalName to the value constructed from uid. In doing so, hovewer, any principal aliases added to the krbPrincipalName are wiped clean. In this patch old aliases are fetched before the MODRDN operation takes place and inserted back after it is performed. This also preserves previous user logins which can be used further for authentication as aliases. https://fedorahosted.org/freeipa/ticket/6028 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.

This also preserves previous user logins which can be used further for
authentication as aliases.

https://fedorahosted.org/freeipa/ticket/6028

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
host-find: do not show SSH key by default 2016-07-13T16:37:15+00:00 Martin Basti mbasti@redhat.com 2016-07-08T11:40:02+00:00 2874fdbfef1e191cf858dabdd34d5a0cbdc5ef16 Only function 'remove_sshpubkey_from_output_list_post' should be used in postcallbacks of *-find, otherwise only one entry will be cleaned up https://fedorahosted.org/freeipa/ticket/6043 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up

https://fedorahosted.org/freeipa/ticket/6043

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
caacl: expand plugin documentation 2016-07-13T16:34:17+00:00 Fraser Tweedale ftweedal@redhat.com 2016-07-12T05:11:11+00:00 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d Expand the 'caacl' plugin documentation to explain some common confusions including the fact that CA ACLs apply to the target subject principal (not necessarily the principal requesting the cert), and the fact that CA-less CA ACL implies the 'ipa' CA. Fixes: https://fedorahosted.org/freeipa/ticket/6002 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix incorrect check for principal type when evaluating CA ACLs 2016-07-01T11:16:23+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-01T09:55:47+00:00 0ade41abbad324d8c54449f3b1024a7651dc259d This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
This error prevented hosts to request certificates for themselves.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow unexpiring passwords 2016-07-01T09:22:02+00:00 David Kupka dkupka@redhat.com 2016-06-30T06:52:33+00:00 d2cb9ed327ee4003598d5e45d80ab7918b89eeed Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Add --cn option to cert-status 2016-07-01T08:05:16+00:00 Fraser Tweedale ftweedal@redhat.com 2016-07-01T04:42:37+00:00 4844eaec197690e21c6cf44743df7f456d0e185d Add the 'cacn' option to the cert-status command. Right now there is nothing we need to (or can) do with it, but we add it anyway for future use. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the 'cacn' option to the cert-status command.  Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.

Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add widgets for kerberos aliases 2016-07-01T07:39:49+00:00 Pavel Vomacka pvomacka@redhat.com 2016-06-30T12:34:33+00:00 4bc2e3164fbc4fdbbd4ecd1d26001a5d4671dd94 Create own custom_command_multivalued_widget for kerberos aliases. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Create own custom_command_multivalued_widget for kerberos aliases.

https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Unify display of principal names/aliases across entities 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-29T12:54:54+00:00 acf2234ebc8609a35a8f45598d5d817cbdbff121 Since now users, hosts, and service all support assigning multiple principal aliases to them, the display of kerberos principal names should be consistent across all these objects. Principal aliases and canonical names will now be displayed in all add, mod, show, and find operations. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Provide API for management of host, service, and user principal aliases 2016-07-01T07:37:25+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-23T18:06:42+00:00 e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...]) were added to manage principal aliases. 'add' commands will check the following: * the correct principal type is supplied as an alias * the principals have correct realm and the realm/alternative suffix (e.g. e-mail) do not overlap with those of trusted AD domains If the entry does not have canonical principal name, the first returned principal name will be set as one. This is mostly to smoothly operate on entries created on older servers. 'remove' commands will check that there is at least one principal alias equal to the canonical name left on the entry. See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases https://fedorahosted.org/freeipa/ticket/1365 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>