freeipa.git/ipatests/test_xmlrpc, branch pwdpolicy FreeIPA patches User Tracker: Test to create user with minimal values 2017-01-19T16:39:08+00:00 Ganna Kaihorodova gkaihoro@redhat.com 2016-12-08T14:08:41+00:00 91c050b4e093802d8c6b510a22d6e435faba965f Test to create user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6126 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com> Reviewed-By: Lenka Doudova <ldoudova@redhat.com> 
Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
User Tracker: creation of user with minimal values 2017-01-19T16:39:08+00:00 Ganna Kaihorodova gkaihoro@redhat.com 2016-12-08T14:06:36+00:00 fa7aaef1de2c97ac9d24925ca9adb25c7151055f Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com> Reviewed-By: Lenka Doudova <ldoudova@redhat.com> 
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Stage User: Test to create stage user with minimal values 2017-01-19T16:36:46+00:00 Ganna Kaihorodova gkaihoro@redhat.com 2016-12-12T13:11:52+00:00 c391f6ba58a61e046e49e1b4526b62d7ce250301 Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 Reviewed-By: Lenka Doudova <ldoudova@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Tests: Stage User Tracker implementation 2017-01-19T16:36:46+00:00 Ganna Kaihorodova gkaihoro@redhat.com 2016-11-02T14:02:30+00:00 a336de630e9d1ef95a507cc3ee9200c001ab9193 Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 Reviewed-By: Lenka Doudova <ldoudova@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Generate sha256 ssh pubkey fingerprints for hosts 2017-01-12T10:09:46+00:00 Stanislav Laznicka slaznick@redhat.com 2016-12-12T15:59:48+00:00 721105c53de6fbc0abc7799ec7f48920e02089bd Replace md5 with sha256 for host ssh pubkey fingerprints https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove "Request Certificate with SubjectAltName" permission 2016-12-21T16:04:18+00:00 Fraser Tweedale ftweedal@redhat.com 2016-12-01T04:28:03+00:00 bdbb1c34a2f5ef864cd3a943dcd047cde20de681 subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all 2016-12-14T16:46:12+00:00 David Kupka dkupka@redhat.com 2016-11-24T23:10:41+00:00 b1a20599c4f9fdcd208998694185b65460126703 Result of {host,service}-{find,show} commands with option '--all' always contains krbpwpolicyreference attributes. https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Add options to write lightweight CA cert or chain to file 2016-12-12T12:03:15+00:00 Fraser Tweedale ftweedal@redhat.com 2016-08-08T04:27:20+00:00 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
cert-request: match names against principal aliases 2016-12-06T15:13:45+00:00 Fraser Tweedale ftweedal@redhat.com 2016-10-25T23:48:19+00:00 dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7 Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com> 
Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
tests: Added basic tests for certs in idoverrides 2016-11-29T17:30:44+00:00 Oleg Fayans ofayans@redhat.com 2016-10-21T08:53:19+00:00 452dc97aba12288a23c20f519f4c1c0d4408b765 https://fedorahosted.org/freeipa/ticket/6412 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6412

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>