summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Support AD-style LDAP BindsAD-bindsSimo Sorce2015-09-071-1/+54
| | | | | | | | In Active Directory it is allowed to bind to LDAP providing the bare username instead of a full user DN. Add support for it exclusively for regular IPA users. Signed-off-by: Simo Sorce <simo@redhat.com>
* Replicas cannot define their own master password.Simo Sorce2015-06-231-8/+0
| | | | | | Seem like this slipped in during the refactoring of the install tools. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix for a typo in certprofile mod command.Milan Kubík2015-06-231-1/+1
| | | | Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* generalize certificate creation during testingMartin Babinsky2015-06-233-26/+26
| | | | | | | | | | | With added support for multiple certificates for hosts, services, and even users, IPA testing framework will need a more flexible way to generate temporary testing certificates for these entities. This patch modifies the currently used `testcert` module to support these requirements. Related to work on http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Milan Kubík <mkubik@redhat.com>
* Become IPA 4.2.0 Alpha 1Petr Vobornik2015-06-181-3/+3
|
* Server Upgrade: create default config for NIS Server pluginMartin Basti2015-06-181-0/+18
| | | | | | | | Plugin is disabled by default. This commit prevents false positive upgrade errors. Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-ca-install fix: reconnect ldap2 after DS restartMartin Basti2015-06-181-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5064 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: adjust user deleter dialog to new apiPetr Vobornik2015-06-184-14/+18
| | | | | | | | | In user_del, flags 'permanently' and 'preserve' were replaced with single bool option 'preserve' part of: https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: change user-del flags to be CLI-specificJan Cholasta2015-06-183-12/+28
| | | | | | | | Rename --permanently to --no-preserve. https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add DS index for userCertificate attributeMartin Babinsky2015-06-182-0/+17
| | | | | | | | | | 'eq' and 'pres' indices for userCertificate attribute allow for more efficient lookup and matching of binary certificates assigned to users, hosts, and services. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify error messages in ipa-replica-prepare: add_dns_records()Petr Spacek2015-06-181-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify recommendation about --ip-address option in ipa-replica-prepaprePetr Spacek2015-06-181-2/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error messages about reverse address resolution in ipa-replica-preparePetr Spacek2015-06-181-2/+8
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Fix ipa-replica-install not installing RA certJan Cholasta2015-06-182-9/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNS: add UnknownRecord to schemaMartin Basti2015-06-185-8/+13
| | | | | | | | defintion of UnknownRecord attributetype https://fedorahosted.org/freeipa/ticket/4939 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Bump run-time requires to SoftHSM 2.0.0rc1.Petr Spacek2015-06-181-1/+1
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix OTP token URI generationNathaniel McCallum2015-06-171-1/+1
| | | | | | | | Google Authenticator fails if the algorithm is not uppercase. https://fedorahosted.org/freeipa/ticket/5047 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* User life cycle: provide preserved user virtual attributeJan Cholasta2015-06-153-33/+51
| | | | | | | https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-replica-manage: adjust del to work with managed topologyPetr Vobornik2015-06-151-63/+166
| | | | | | | | | Introduces new method for deletion of replica. This method is used if managed topology is enabled. part of https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* server: add "del" commandPetr Vobornik2015-06-153-2/+17
| | | | | | | this command is internal and is supposed to be used by ipa-replica-managed to delete replica. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-replica-manage: Do not allow topology altering commands from DL 1Petr Vobornik2015-06-151-16/+37
| | | | | | | | | | | | | | | | | | With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Exception is creation/deletion of winsync agreement. Part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* regenerate ACI.txt after stage user permission renamePetr Vobornik2015-06-151-2/+2
| | | | ./makeaci was not run
* Server Upgrade: disconnect ldap2 connection before DS restartMartin Basti2015-06-151-0/+5
| | | | | | | | Without this patch, the invalid api.Backend.ldap2 connection was used to communicate with DS and it raises network error after DS restart. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Stage User: Fix permissions naming and split them where apropriate.Thierry Bordaz2015-06-153-56/+56
| | | | | Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: fix traceback during shutdown phaseMartin Basti2015-06-151-11/+11
| | | | | | | ipa-dnskeysyncd causes traceback when receive SIGTERM, SIGINT Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* topology: fix swapped topologysegment-reinitialize behaviorPetr Vobornik2015-06-151-2/+4
| | | | | | | | | | setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the right node and not the left node. This patch fixes API to match the behavior. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* topology: restrict direction changesPetr Vobornik2015-06-154-16/+9
| | | | | | | | | | | | | topology plugin doesn't properly handle: - creation of segment with direction 'none' and then upgrade to other direction - downgrade of direction These situations are now forbidden in API. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* install: Fix logging setup in server and replica installJan Cholasta2015-06-121-1/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.Petr Spacek2015-06-112-13/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* v2-reject modifications of endpoints and connectivity of a segmentLudwig Krispenz2015-06-111-9/+60
| | | | Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* make sure the agremment rdn match the rdn used in the segmentLudwig Krispenz2015-06-111-18/+19
| | | | Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* disallow mod of topology segment nodesPetr Vobornik2015-06-113-6/+5
| | | | | | | | | | | | | | | | | Mod of segment end will be disallowed in topology plugin. Reasoning (by Ludwig): if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios, like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Revert 389-DS BuildRequires version to 1.3.3.9Martin Basti2015-06-111-1/+1
| | | | Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.Petr Spacek2015-06-112-3/+3
| | | | | | | SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use 389-ds centralized scripts.David Kupka2015-06-113-4/+16
| | | | | | | | | Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: validate forward zone forwardersMartin Basti2015-06-114-3/+202
| | | | | | | | | | Show warning messages if DNSSEC validation is failing for particular FW zone or if the specified forwarders do not work https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: Improve global forwarders validationMartin Basti2015-06-115-65/+188
| | | | | | | | | | Validation now provides more detailed information and less false positives failures. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* rename topologysegment_refresh to topologysegment_reinitializePetr Vobornik2015-06-113-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5056 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Enforce CA ACLs in cert-request commandFraser Tweedale2015-06-112-0/+93
| | | | | | | | | | | | | | | This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-1116-2/+771
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: make topology suffices UI readonlyPetr Vobornik2015-06-111-8/+7
| | | | | | | | | Admins should not modify topology suffices. They are created on install/upgrade. part of: https://fedorahosted.org/freeipa/ticket/4997 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* add entries required by topology plugin on updatePetr Vobornik2015-06-111-0/+16
| | | | | | | | | These entries were not added on upgrade from old IPA servers and on replica creation. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* move replications managers group to cn=sysaccounts,cn=etc,$SUFFIXPetr Vobornik2015-06-113-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-1011-96/+102
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Initialize API early in server and replica installJan Cholasta2015-06-102-177/+191
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-1010-25/+45
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* check for existing and self referential segmentsLudwig Krispenz2015-06-101-10/+20
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* topology: hide topologysuffix-add del mod commandsPetr Vobornik2015-06-101-0/+6
| | | | | | | | | Suffices are created on installation/upgrade. Users should not modify them. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* topology: allow only one node to be specified in topologysegment-refreshPetr Vobornik2015-06-101-6/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fixed KRA installation problem.Endi S. Dewata2015-06-101-7/+8
| | | | | | | | | | The ipa-pki-proxy.conf has been modified to optionally require client certificate authentication for PKI REST services as it's done in standalone PKI to allow the proper KRA installation. https://fedorahosted.org/freeipa/ticket/5058 Reviewed-By: Jan Cholasta <jcholast@redhat.com>