summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use asn1c helpers to encode/decode the getkeytab controlasn1c-indentedSimo Sorce2014-11-207-396/+107
| | | | | | | | Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728
* Add asn1c generated code for keytab controlsSimo Sorce2014-11-2077-2/+12928
| | | | | | | | | | | | | Instead of manually encoding controls, use an actual asn1 compiler. The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code is committed to the tree and built into a static library that is linked to the code that uses it. The first module implements the GetKeytabControl control. Related: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728
* Fix filtering of enctypes in server code.Simo Sorce2014-11-201-17/+43
| | | | | | | | The filtering was incorrect and would result in always discarding all values. Also make sure there are no duplicates in the list. Partial fix for: https://fedorahosted.org/freeipa/ticket/4718
* Add additional backup & restore checksPetr Viktorin2014-11-201-6/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/3893 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Raise right exception if domain name is not validMartin Basti2014-11-201-8/+9
| | | | | | | | Because of dnspython implementation, in some cases UnicodeError is raised instead of DNS SyntaxError Ticket: https://fedorahosted.org/freeipa/ticket/4734 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* webui: fix potential XSS vulnerabilitiesPetr Vobornik2014-11-205-10/+13
| | | | | | | | | | | Escape user defined text to prevent XSS attacks. Extra precaution was taken to escape also parts which are unlikely to contain user-defined text. fixes CVE-2014-7850 https://fedorahosted.org/freeipa/ticket/4742 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Show warning instead of error if CA did not startMartin Basti2014-11-201-0/+4
| | | | | | | | This is just workaround, checking if CA is working raises false positive exception during upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Do not restore SELinux settings that were not backed upPetr Viktorin2014-11-192-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4678 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix wrong expiration date on renewed IPA CA certificatesJan Cholasta2014-11-192-2/+4
| | | | | | | | | The expiration date was always set to the expiration date of the original certificate. https://fedorahosted.org/freeipa/ticket/4717 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix warning message should not contain CLI commandsMartin Basti2014-11-193-10/+12
| | | | | | | Message is now universal for both CLI and WebUI Ticket: https://fedorahosted.org/freeipa/ticket/4647 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-195-6/+9
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix: zonemgr must be unicode valueMartin Basti2014-11-191-0/+2
| | | | | | | | To support IDNA --zonemgr option must be unicode not ascii https://fedorahosted.org/freeipa/ticket/4724 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add UTC date to GIT snapshot version generationSimo Sorce2014-11-181-2/+3
| | | | | | | | | This way make rpms will always generate new packages that can be installed on top fo older ones, regardless of alphabetic ordering of the GIT commit id. Also make sure version and date variables are immditely resolved, so they can't change during the build. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-184-8/+46
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add help string on how to configure multiple DNS forwards for various cli toolsThorsten Scherf2014-11-143-3/+3
| | | | | | | | | | | | | | The man pages for various FreeIPA setup tools are more descriptive on how to configure multiple DNS forwarders than the corresponding cli help. This patch makes the cli help more verbose now for the following tools: * ipa-dns-install * ipa-replica-install * ipa-server-install https://fedorahosted.org/freeipa/ticket/4465 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Ensure users exist when assigning tokens to themNathaniel McCallum2014-11-131-2/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve otptoken help messagesNathaniel McCallum2014-11-131-1/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Produce better error in group-add command.David Kupka2014-11-131-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4611 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove service file even if it isn't link.David Kupka2014-11-131-5/+3
| | | | | | | | | (Link to) service file from /etc/systemd/system/ must be removed before masking systemd service. https://fedorahosted.org/freeipa/ticket/4658 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upgrade: fix trusts objectclass violationiMartin Basti2014-11-133-6/+9
| | | | | | | | Execute updates in proper ordering. Curently ldap-updater implementation doesnt allow better fix. Ticket: https://fedorahosted.org/freeipa/ticket/4680 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix upgrade referint pluginMartin Basti2014-11-133-12/+92
| | | | | | | | Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 Reviewed-By: David Kupka <dkupka@redhat.com>
* Search using proper scope when connecting CA instancesRob Crittenden2014-11-131-1/+1
| | | | | | | | | | The wrong search scope was being used when trying to determine if a given master had a CA installed when trying to create a new connection. https://fedorahosted.org/freeipa/ticket/4704 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix: DNS policy upgrade raises asertion errorMartin Basti2014-11-131-1/+3
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4708 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaplatform: Use the dirsrv service, not targetPetr Viktorin2014-11-131-2/+1
| | | | | | | | | | | | | | IPA only uses one instance of the directory server. When an instance is not specified to a call to service.start/stop/restart/..., use IPA's instance. Stopping a systemd service is synchronous (bby default), but stopping a target is not. This will change ensures that the directory server is actually down when stop() finishes. https://fedorahosted.org/freeipa/ticket/4709 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix: DNS installer adds invalid zonemgr emailMartin Basti2014-11-132-2/+2
| | | | | | | | Installer adds zonemgr as relative (and invalid) address. This fix force installer to use absolute email. Ticket: https://fedorahosted.org/freeipa/ticket/4707 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix CA certificate backup and restoreJan Cholasta2014-11-115-24/+67
| | | | | | | | | | Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit. Create /etc/ipa/nssdb after restore if necessary. https://fedorahosted.org/freeipa/ticket/4711 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: prohibit setting rid base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-17/+60
| | | | | | | | | | | | | | Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* idrange: include raw range type in outputPetr Vobornik2014-11-112-0/+8
| | | | | | | | iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ldapupdater: set baserid to 0 for ipa-ad-trust-posix rangesPetr Vobornik2014-11-111-1/+68
| | | | | | | | New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* unittests: baserid for ipa-ad-trust-posix idrangesPetr Vobornik2014-11-111-28/+132
| | | | | | https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ranges: prohibit setting --rid-base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-14/+47
| | | | | | | | | | | | We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-restore: Don't crash if AD trust is not installedPetr Viktorin2014-11-111-2/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/4668 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unneeded internal methods. Move code to public methods.David Kupka2014-11-111-20/+10
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-server-install Directory Manager help incorrectGabe2014-11-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4694 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modififed NSSConnection not to shutdown existing database.Endi S. Dewata2014-11-112-27/+42
| | | | | | | | | | | | The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix minimal version of BIND for Fedora 20 and 21Petr Spacek2014-11-071-1/+7
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* specfile: Add BuildRequires for pki-base 10.2.1-0Tomas Babej2014-11-071-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4688 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update slapi-nis dependency to pull 0.54.1Alexander Bokovoy2014-11-071-1/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Ensure that a password exists after OTP validationNathaniel McCallum2014-11-061-12/+14
| | | | | | | | | | | | | | Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix upgrade: do not use invalid ldap connectionMartin Basti2014-11-062-0/+9
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4670 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Stop dirsrv last in ipactl stop.David Kupka2014-11-061-6/+6
| | | | | | | | Other services may depend on directory server. https://fedorahosted.org/freeipa/ticket/4632 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Deadlock in schema compat plugin (between automember_update_membership task ↵Thierry bordaz (tbordaz)2014-11-061-10/+20
| | | | | | | | | | | | | | | and dse update) Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks. Schema plugin needs to scope the $SUFFIX and also any updates to its configuration. This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees that would be too long for cn=config (tasks, mapping tree, replication, snmp..) https://fedorahosted.org/freeipa/ticket/4635 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix various bugs in ipap11helperJan Cholasta2014-11-051-15/+10
| | | | | | | | | | | Fixes a memory leak, a library handle leak and a double free. Also remove some redundant NULL checks before free to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leaks in ipa-joinJan Cholasta2014-11-052-11/+9
| | | | | | | | | Also remove dead code in ipa-join and add initializer to a variable in ipa-getkeytab to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leak in ipa-pwd-extopJan Cholasta2014-11-052-3/+2
| | | | | | | | | Also remove dead code and explicitly mark an ignored return value to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix various bugs in ipa-opt-counter and ipa-otp-lasttokenJan Cholasta2014-11-053-5/+17
| | | | | | | | Fixes a wrong sizeof argument and unchecked return values. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix memory leaks in ipa-extdom-extopJan Cholasta2014-11-051-5/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix possible NULL dereference in ipa-kdbJan Cholasta2014-11-051-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manageJan Cholasta2014-11-052-24/+19
| | | | | | | | | This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-055-44/+73
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-29 05:34:49 +0000