freeipa.git/ipaserver, branch my-master FreeIPA patches Add IPA OTP schema and ACLs 2013-05-17T07:30:51+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-04-11T17:24:46+00:00 cb689354357d5311e7ecb231a34e867c23b8a803 This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP 
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.

https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
Set KRB5CCNAME so that dirsrv can work with newer krb5-server 2013-05-14T21:01:03+00:00 Martin Kosek mkosek@redhat.com 2013-05-14T16:36:50+00:00 ba89635679a318102bffbb0a5d00aff61f4e2967 The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628 
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).

Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.

https://fedorahosted.org/freeipa/ticket/3628
Fix ipa-ca DNS name creation 2013-05-09T18:16:51+00:00 Martin Kosek mkosek@redhat.com 2013-05-09T15:50:15+00:00 8667d169daece75794c5dcf8b42d22c9a41840a1 Previous fix (6d06a7e) did not work properly on a CA-less replica with CA-powered master. https://fedorahosted.org/freeipa/ticket/3617 
Previous fix (6d06a7e) did not work properly on a CA-less replica
with CA-powered master.

https://fedorahosted.org/freeipa/ticket/3617
Do not add ipa-ca records on CA-less installs 2013-05-09T13:13:33+00:00 Martin Kosek mkosek@redhat.com 2013-05-09T12:04:13+00:00 6368a60730097311510c0e1258790d916782e6d4 ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 
ipa-dns-install crashed when it was run on a CA-less server.

https://fedorahosted.org/freeipa/ticket/3617
Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-server 2013-05-09T07:15:47+00:00 Rob Crittenden rcritten@redhat.com 2013-05-07T14:33:55+00:00 13cef6cac4c7f6c53e9fcfea97c5e830c8c69826 The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607 
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).

Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.

https://fedorahosted.org/freeipa/ticket/3607
Specify the location for the agent PKCS#12 file so we don't have to move it. 2013-05-06T11:37:23+00:00 Rob Crittenden rcritten@redhat.com 2013-05-02T17:47:06+00:00 be8c9ec9f243386eb9d3ae69bf1d84b255324cc7 Dogtag 10.0.2 changed the default location for this file from /root/.pki to /root/.dogtag which broke our install. https://fedorahosted.org/freeipa/ticket/3599 
Dogtag 10.0.2 changed the default location for this file from /root/.pki
to /root/.dogtag which broke our install.

https://fedorahosted.org/freeipa/ticket/3599
Handle a 501 in cert-find from dogtag as a "not supported" 2013-05-03T20:05:49+00:00 Rob Crittenden rcritten@redhat.com 2013-04-23T21:05:59+00:00 6e2c3a45a1da4b2b39037bf7ed3a0d3fcd42b008 Upgrading from d9 -> d10 does not set up the RESTful interface in dogtag, they just never coded it. Rather than trying to backport things they have decided to not support upgrades. We need to catch this and report a more reasonable error. They are returning a 501 (HTTP method unimplemented) in this case. https://fedorahosted.org/freeipa/ticket/3549 
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.

We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.

https://fedorahosted.org/freeipa/ticket/3549
Fix normalization of FQDNs in DNS installer code. 2013-05-03T16:05:50+00:00 Jan Cholasta jcholast@redhat.com 2013-05-03T13:00:24+00:00 252de46ebfde14db30879e94f185096fdaa1faa3 https://fedorahosted.org/freeipa/ticket/3600 
https://fedorahosted.org/freeipa/ticket/3600
Handle socket.gethostbyaddr() exceptions when verifying hostnames. 2013-04-24T13:28:57+00:00 Rob Crittenden rcritten@redhat.com 2013-04-22T18:17:03+00:00 bd89e49ed771ff8677cf0e8aa4b0d40eaa0c39b6 Log any socket exceptions raised and let the process continue. This failure isn't a show-stopper. Other checks past this will catch any other problems. This was seen when /etc/hosts and /etc/resolv.conf were both empty. https://fedorahosted.org/freeipa/ticket/3581 
Log any socket exceptions raised and let the process continue. This
failure isn't a show-stopper. Other checks past this will catch any
other problems.

This was seen when /etc/hosts and /etc/resolv.conf were both empty.

https://fedorahosted.org/freeipa/ticket/3581
Add ipa-ca records for existing CA masters when installing DNS for the first time. 2013-04-24T12:36:28+00:00 Jan Cholasta jcholast@redhat.com 2013-04-23T07:21:33+00:00 63e79a3d86bb302b954571ec881aae06388392cd https://fedorahosted.org/freeipa/ticket/3564 
https://fedorahosted.org/freeipa/ticket/3564