freeipa.git/ipaserver, branch cachetickets FreeIPA patches Use https to get security domain from Dogtag 2017-03-03T12:33:51+00:00 Christian Heimes cheimes@redhat.com 2017-02-24T12:00:25+00:00 d1c5d92897d3e262edd2e43295c1270590aebd3d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Extract method to map principal to princpal type 2017-03-03T11:09:57+00:00 Fraser Tweedale ftweedal@redhat.com 2017-01-25T06:14:59+00:00 11c9df25774fbc8ed24b30f75c205d12ca3c5b90 Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Remove redundant principal_type argument 2017-03-03T11:09:57+00:00 Fraser Tweedale ftweedal@redhat.com 2017-01-25T05:51:46+00:00 2066a80be21258d9311ae374fe124d9ac3b79acd Minor refactor to remove the redundant 'principal_type' argument from 'caacl_check' and associated functions. Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Support for Certificate Identity Mapping 2017-03-02T14:09:42+00:00 Florence Blanc-Renaud flo@redhat.com 2016-12-20T15:21:58+00:00 9e24918c89f30a6d7064844dc0dd848bb35140df See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Cleanup certdb 2017-03-02T13:45:00+00:00 Christian Heimes cheimes@redhat.com 2017-02-09T13:55:45+00:00 22d7492c94837342a559c368454c223f566490ac * use with statement to open/close files * prefer fchmod/fchown when a file descriptor is available * set permission before data is written to file Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
server install: do not attempt to issue PKINIT cert in CA-less 2017-03-02T09:10:22+00:00 Jan Cholasta jcholast@redhat.com 2017-03-01T15:43:20+00:00 ba3c201a03cd0b224b43e45245147e48b7291f9f Require the user to provide the PKINIT cert with --pkinit-cert-file or disable PKINIT with --no-pkinit in CA-less ipa-server-install, ipa-replica-prepare and ipa-replica-install. Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade. https://pagure.io/freeipa/issue/5678 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Require the user to provide the PKINIT cert with --pkinit-cert-file or
disable PKINIT with --no-pkinit in CA-less ipa-server-install,
ipa-replica-prepare and ipa-replica-install.

Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade.

https://pagure.io/freeipa/issue/5678

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix CA-less upgrade 2017-03-01T15:38:43+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-01T14:40:10+00:00 a7c8077ce8f72eee26e8f5d4362239313ffdae3d In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it does not make sense to try to create a password file for an NSS database from it (the NSS database does not exist either). https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it
does not make sense to try to create a password file for an NSS
database from it (the NSS database does not exist either).

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Merge AD trust configurator into replica installer 2017-03-01T14:55:45+00:00 Martin Babinsky mbabinsk@redhat.com 2017-02-17T12:51:00+00:00 eee319dba12a6ab7daa06ca0d7d8ac8fc754f961 `ipa-replica-install` is now able to configure Samba and winbind services in order to manage Active Directory trusts. `--add-agents` option is exposed in replica installer, while `--add-sids` now defaults to `False` since adding a first AD trust controller to an existing sizeable deployment can result in stuck installation as sidgen tasks can take a long time to complete. That's why adding SIDs should be a conscious decision in this case. https://fedorahosted.org/freeipa/ticket/6630 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
`ipa-replica-install` is now able to configure Samba and winbind
services in order to manage Active Directory trusts. `--add-agents`
option is exposed in replica installer, while `--add-sids` now defaults
to `False` since adding a first AD trust controller to an existing
sizeable deployment can result in stuck installation as sidgen tasks can
take a long time to complete. That's why adding SIDs should be a
conscious decision in this case.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Merge AD trust configurator into server installer 2017-03-01T14:55:45+00:00 Martin Babinsky mbabinsk@redhat.com 2017-02-17T12:50:36+00:00 aa353c5f21bf040579a4aeda6840b56ae93b4309 ipa-server-install is now able to configure Samba and winbind services and manage trusts to Active Directory right off the bat with following alterations from standalone installer: * sidgen task is always triggered since there are only a few entries to tag in the beginning * the `--add-agents` option is hardcoded to False, as there are no potential agents to resolve and addd when setting up the first master in topology https://fedorahosted.org/freeipa/ticket/6630 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
ipa-server-install is now able to configure Samba and winbind services
and manage trusts to Active Directory right off the bat with following
alterations from standalone installer:

   * sidgen task is always triggered since there are only a few entries
     to tag in the beginning

   * the `--add-agents` option is hardcoded to False, as there are no
     potential agents to resolve and addd when setting up the first
     master in topology

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
expose AD trust related knobs in composite installers 2017-03-01T14:55:45+00:00 Martin Babinsky mbabinsk@redhat.com 2017-02-17T12:50:09+00:00 13b5821fa4d32b5a1cc69a97386853fad44236ec Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>