freeipa.git - FreeIPA patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	Convert ipa-sam to use the new getkeytab controlipasam_getkeytab	Simo Sorce	2015-12-03	3	-52/+33
\| \| \| \| \| \|	Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495
*	Improve keytab code to select the right principal.	Simo Sorce	2015-12-02	4	-9/+20
\| \| \| \| \| \| \| \| \| \| \|	Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com>
*	Sync kerberos LDAP schema with upstream.	Simo Sorce	2015-12-02	1	-2/+12
\| \| \| \| \| \| \| \| \|	All the new attributes are unused for now, but this allows us to keep tailing upstream in case of other useful changes later on. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2086
*	Allow to specify Kerberos authz data type per user	Simo Sorce	2015-12-02	2	-6/+6
\| \| \| \| \| \| \| \| \| \| \|	Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579
*	Allow admins to disable preauth for SPNs.	Simo Sorce	2015-12-02	5	-8/+30
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Some legacy softare is not able to properly cope with preauthentication, allow the admins to disable the requirement to use preauthentication for all Service Principal Names if they so desire. IPA Users are excluded, for users, which use password of lessere entrpy, preauthentication is always required by default. This setting does NOT override explicit policies set on service principals or in the global policy, it only affects the default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3860
*	Disable User's ability to use the setkeytab exop.	Simo Sorce	2015-12-02	7	-5/+27
\| \| \| \| \| \| \| \| \| \| \| \|	Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485
*	Introduce option to disable the SetKeytab exop	Simo Sorce	2015-12-02	5	-1/+12
\| \| \| \| \| \| \| \| \| \| \|	If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485
*	Use only AES enctypes by default	Simo Sorce	2015-12-02	2	-13/+3
\| \| \| \| \| \| \| \| \| \|	Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740
*	Removed duplicate domain name validating function	Stanislav Laznicka	2015-12-02	6	-43/+39
\| \| \| \|	Reviewed-By: Martin Basti <mbasti@redhat.com>
*	Modify error message to install first instance of KRA	Martin Basti	2015-12-02	1	-1/+3
\| \| \| \| \| \| \| \|	First instance of KRA should be installed by ipa-kra-install. https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	ipa-kra-install: allow to install first KRA on replica	Martin Basti	2015-12-02	1	-6/+6
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	Separated Tracker implementations into standalone package	Milan Kubík	2015-12-02	17	-1401/+1480
\| \| \| \| \| \| \| \| \| \|	The previous way of implementing trackers in the module with the test caused circular imports. The separate package resolves this issue. https://fedorahosted.org/freeipa/ticket/5467 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
*	implement domain level 1 specific topology checks into IPA server uninstaller	Martin Babinsky	2015-12-02	2	-27/+169
\| \| \| \| \| \| \| \| \| \| \| \| \|	When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
*	extract domain level 1 topology-checking code from ipa-replica-manage	Martin Babinsky	2015-12-02	2	-97/+101
\| \| \| \| \| \| \| \| \| \|	This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
*	translations: Update ipa.pot file	Tomas Babej	2015-12-02	1	-2903/+3592
\| \| \| \|	Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
*	Update Contributors.txt	Martin Kosek	2015-12-02	2	-0/+21
\| \| \| \| \| \| \| \|	Update .mailmap with misconfigured patch authors since the last feature release. Based on the git history, add new Developer contributors. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
*	Fixed small typo in stage-user documentation	Abhijeet Kasurde	2015-12-02	3	-3/+3
\| \| \| \| \|	Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
*	replicainstall: Add possiblity to install client in one command	Tomas Babej	2015-12-01	2	-10/+86
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/5310 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	fix 'iparepltopomanagedsuffix' attribute consumers	Martin Babinsky	2015-12-01	2	-8/+4
\| \| \| \| \| \| \| \| \|	Commit 46ae52569a179f73b1445922f7bac993d598c953 reimplemented reporting of managed topology suffixes in server-find/show commands using membership attributes. This patch fixes consumers of this attribute in ipa-replica-manage command and webui to reflect this change. Reviewed-By: Martin Basti <mbasti@redhat.com>
*	Remove global variable dns_forwarders from ipaserver.install.dns	Petr Spacek	2015-12-01	2	-18/+14
\| \| \| \|	Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	ipa-dns-install offer IP addresses from resolv.conf as default forwarders	Petr Spacek	2015-12-01	5	-8/+39
\| \| \| \| \| \| \| \| \|	In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	ipa-client-install: add support for Ed25519 SSH keys (RFC 7479)	Petr Spacek	2015-12-01	1	-0/+2
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/5471 Reviewed-By: Martin Basti <mbasti@redhat.com>
*	perform IPA client uninstallation as a last step of server uninstall	Martin Babinsky	2015-12-01	1	-13/+13
\| \| \| \| \| \| \| \| \| \| \| \|	With the ability to promote replicas from an enrolled client the uninstallation procedure has to be changed slightly. If the client-side components are not removed last during replica uninstallation, we can end up with leftover ipa default.conf preventing future client re-enrollment. https://fedorahosted.org/freeipa/ticket/5410 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	change suffices to suffixes	Petr Vobornik	2015-12-01	3	-39/+39
\| \| \| \|	Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	topology: replace "suffices" with "suffixes"	Jan Cholasta	2015-12-01	1	-4/+4
\| \| \| \|	Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	server: use topologysuffix name in iparepltopomanagedsuffix	Jan Cholasta	2015-12-01	3	-7/+103
\| \| \| \|	Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	Upgrade: increase time limit for upgrades	Martin Basti	2015-12-01	4	-34/+57
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	FIX: ipa_kdb_principals: add missing break statement	Martin Basti	2015-11-30	1	-0/+1
\| \| \| \| \| \| \|	Needs a 'break' otherwise prevents correct reporting of data and it always overrides it with the placeholder data. Reviewed-By: Simo Sorce <ssorce@redhat.com>
*	use starttls in CSReplicationManager connection again	Petr Vobornik	2015-11-30	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e has: - realm, hostname, dirman_passwd, port, starttls=True) + realm, hostname, dirman_passwd, port) In CSReplicationManager which causes, e.g.: ipa-csreplica-manage -p Secret123 list ipa.example.com cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file Reviewed-By: Tomas Babej <tbabej@redhat.com>
*	custodia: Make sure container is created with first custodia replica	Tomas Babej	2015-11-30	1	-0/+15
\| \| \| \| \| \| \| \| \| \|	If a first 4.3+ replica is installed in the domain, the custodia container does not exist. Make sure it is created to avoid failures during key generation. https://fedorahosted.org/freeipa/ticket/5474 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	ipa-kra-install: error when replica file is passed with domain level > 0	Martin Basti	2015-11-27	1	-4/+4
\| \| \| \| \| \| \| \| \| \|	installing kra on promoted replica (domain level > 0) does not require replica file. https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	KRA install: show installation message only if install really started	Martin Basti	2015-11-27	1	-6/+3
\| \| \| \| \| \| \| \| \| \| \|	Message that installation started/failed was shown even when install_check fail (installation itself did not start). This commit show messages only if installation started. Enhacement for https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	ipa-ca-install: error when replica file is passed with domain level > 0	Martin Basti	2015-11-27	1	-0/+3
\| \| \| \| \| \| \| \| \| \| \|	with replica promotion (domain level > 0) there are no replica files, thus adding replica file as parameter when domain level > 0 should be disallowed. https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
*	Support sourcing the IPA server name from config	Simo Sorce	2015-11-27	5	-6/+132
\| \| \| \| \| \| \| \| \| \|	Use ding-libs to parse /etc/ipa/default.conf to find the IPA server to contact by default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2203 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
*	topology: treat server suffix as multivalued attribute in API	Petr Vobornik	2015-11-27	4	-5/+5
\| \| \| \|	Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: update topology graph after raising domain level	Petr Vobornik	2015-11-27	2	-8/+32
\| \| \| \| \| \| \| \| \| \| \| \|	When topology graph was shown with domain level == 0, a view describing that domain level needs to be at least 1 was shown. If domain level is raised, this view is then properly replaced by the graph when shown again. https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: remove segments on topology graph page	Petr Vobornik	2015-11-27	1	-2/+81
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: add segments on topology graph page	Petr Vobornik	2015-11-27	2	-4/+151
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: topology graph facet	Petr Vobornik	2015-11-27	6	-3/+367
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: topology graph component	Petr Vobornik	2015-11-27	4	-3/+428
\| \| \| \| \| \|	https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: add d3 library - version 3.5.6	Petr Vobornik	2015-11-27	4	-0/+41
\| \| \| \| \| \|	prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: allow to update action_state directly	Petr Vobornik	2015-11-27	1	-2/+9
\| \| \| \| \| \|	prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: extract header and action logic from facet to separate mixins	Petr Vobornik	2015-11-27	4	-0/+321
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Into: * ActionMixin * HeaderMixin It is supposed to be used as a mixin classes to facet.Facets. In long term it should replace/serve as a base class for facet.facet. e.g: var SomeFacet = declare([Facet, ActionMixin, HeaderMixin], { foo: function() {} }); Then following spec can be used: some_facet_spec = { name: 'some', label: 'Some Facet', tab_label: 'Some Facet', facet_groups: [foo.bar_facet_group], facet_group: 'search', actions: ['refresh'], control_buttons: [ { name: 'refresh', label: '@i18n:buttons.refresh', icon: 'fa-refresh' } ], header_actions: [refresh] }; reg.facet.register({ type: 'some', ctor: SomeFacet, spec: some_facet_spec }); prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: split facet header into two classes	Petr Vobornik	2015-11-27	2	-79/+144
\| \| \| \| \| \| \| \| \|	So that facet.simple_facet_header could be used even in pages without entity structure - e.g. future topology graph. prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	webui: add Deferred/Promise API to rpc.command	Petr Vobornik	2015-11-27	1	-1/+20
\| \| \| \| \| \| \| \|	so that commands could be easily chained prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
*	replica promotion: modify default.conf even if DS configuration fails	Martin Babinsky	2015-11-27	1	-25/+30
\| \| \| \| \| \| \| \| \| \| \|	When we promote an IPA client to replica, we need to write master-like default.conf once we start configuring directory server instance. This way even if DS configuration fails for some reason the server uninstall code can work properly and clean up partially configured replica. https://fedorahosted.org/freeipa/ticket/5417 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
*	mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5	Christian Heimes	2015-11-26	2	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 Reviewed-By: Simo Sorce <ssorce@redhat.com>
*	ipa-client-automount: Leverage IPAChangeConf to configure the domain for idmapd	Tomas Babej	2015-11-26	1	-5/+15
\| \| \| \| \| \| \| \| \| \| \| \| \|	Simple regexp substitution caused that the domain directive fell under an inapprorpiate section, if the domain directive was not present. Hence the idmapd.conf file was not properly parsed. Use IPAChangeConf to put the directive in its correct place even if it the domain directive is missing. https://fedorahosted.org/freeipa/ticket/5069 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
*	ipachangeconf: Add ability to preserve section case	Tomas Babej	2015-11-26	1	-1/+4
\| \| \| \| \| \| \| \| \| \|	The IPAChangeConf normallizes section names to lower case. There are cases where this behaviour might not be desirable, so provide a way to opt out. https://fedorahosted.org/freeipa/ticket/5069 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
*	fix a typo in replica DS creation code	Martin Babinsky	2015-11-26	1	-1/+1
\| \| \| \|	Reviewed-By: Martin Basti <mbasti@redhat.com>