summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* WIP: store mkey in keytabmaster_keytabSimo Sorce2015-12-126-56/+161
|
* Fail hard if realminitialization failsSimo Sorce2015-12-111-1/+1
| | | | | | No point in proceeding the install will fail later. Signed-off-by: Simo Sorce <simo@redhat.com>
* Implement pwd policy iteratorSimo Sorce2015-12-111-55/+110
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3015
* Convert ipa-sam to use the new getkeytab controlSimo Sorce2015-12-113-51/+25
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495
* Improve keytab code to select the right principal.Simo Sorce2015-12-114-9/+20
| | | | | | | | | | | Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow to specify Kerberos authz data type per userSimo Sorce2015-12-112-8/+10
| | | | | | | | | | | Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579
* Allow admins to disable preauth for SPNs.Simo Sorce2015-12-115-8/+30
| | | | | | | | | | | | | | | Some legacy softare is not able to properly cope with preauthentication, allow the admins to disable the requirement to use preauthentication for all Service Principal Names if they so desire. IPA Users are excluded, for users, which use password of lessere entrpy, preauthentication is always required by default. This setting does NOT override explicit policies set on service principals or in the global policy, it only affects the default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3860
* Disable User's ability to use the setkeytab exop.Simo Sorce2015-12-117-5/+27
| | | | | | | | | | | | Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485
* Introduce option to disable the SetKeytab exopSimo Sorce2015-12-115-1/+12
| | | | | | | | | | | If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485
* Use only AES enctypes by defaultSimo Sorce2015-12-112-13/+3
| | | | | | | | | | Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740
* topology: Fix: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+1
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, howver, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, whic was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: allow OTP bulk client enrollmentJan Cholasta2015-12-091-14/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/5498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* topology: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+3
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, however, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, which was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI tests: ignore disconnected domain level 1 topology on IPA master teardownMartin Babinsky2015-12-091-5/+10
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* add missing /ipaplatform/constants.py to .gitignorePetr Spacek2015-12-081-0/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* CI: fix function that prepare the hosts file before CI runMartin Basti2015-12-081-2/+4
| | | | | | Without this fix function removed 2 lines from hosts file. Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* CI: installation testsMartin Basti2015-12-082-0/+232
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* install: Run all validators at once.David Kupka2015-12-081-12/+19
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Force creation of services during replica installMartin Basti2015-12-071-1/+2
| | | | | | Missing A record should not prevent replica to be installed. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI: test various topologies with multiple replicasMartin Basti2015-12-071-0/+87
| | | | | | | | | Test tests topologies listed bellow with and without CA on replicas: star topology: 3 replicas line topology: 3 replicas complete topology: 3 replicas Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* replicainstall: Admin password should not conflict with replica fileTomas Babej2015-12-071-1/+0
| | | | | | | | The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix minor typosYuri Chornoivan2015-12-072-2/+2
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* tests: Fix incorrect uninstall method invocationTomas Babej2015-12-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5516 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* custodia: do not modify memberPrincipal on key updateJan Cholasta2015-12-071-2/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: automatically add the local host to ipaserversJan Cholasta2015-12-071-2/+46
| | | | | | | | | | If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-072-12/+45
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipautil: use file in a temporary dir as ccache in private_ccacheJan Cholasta2015-12-071-2/+9
| | | | | | | | | | | python-gssapi chokes on empty ccache files, so instead of creating an empty temporary ccache file in private_ccache, create a temporary directory and use a non-existent file in that directory as the ccache. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: allow members of ipaservers to set up replicationJan Cholasta2015-12-072-0/+26
| | | | | | | | | | | | | | | Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-073-128/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: add IPA servers host group 'ipaservers'Jan Cholasta2015-12-077-2/+66
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* check whether replica exists before executing the domain level 1 deletion codeMartin Babinsky2015-12-041-7/+11
| | | | | | | | | | | Move this check before the parts that check topology suffix connectivity, wait for removed segments etc. If the hostname does not exist, it should really be one of the first errors user encounters during ipa-replica-manage del. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add '--auto-forwarders' description to server/replica/DNS installer man pagesMartin Babinsky2015-12-043-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add auto-forwarders option to standalone DNS installerMartin Babinsky2015-12-041-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend topology helpPetr Vobornik2015-12-041-3/+52
| | | | | | | `ipa help topology` is improved. Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica install: improvements in the handling of CA-related IPA config entriesMartin Babinsky2015-12-043-17/+25
| | | | | | | | | | | | When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Update ipa-(cs)replica-manage man pagesPetr Vobornik2015-12-042-9/+21
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* man: Update the ipa-replica-install manpage with promotion related infoTomas Babej2015-12-041-12/+57
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* rename topology suffixes to "domain" and "ca"Petr Vobornik2015-12-046-15/+20
| | | | | | | https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Update Build instructionsMartin Kosek2015-12-031-1/+1
| | | | | | | Original dnf builddep command does not work, unless --spec option is added. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Sync kerberos LDAP schema with upstream.Simo Sorce2015-12-031-2/+12
| | | | | | | | | | All the new attributes are unused for now, but this allows us to keep tailing upstream in case of other useful changes later on. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2086 Reviewed-By: Martin Basti <mbasti@redhat.com>
* topologysuffix: change iparepltopoconfroot API propertiesPetr Vobornik2015-12-033-11/+9
| | | | | | | Change CLI option, label and type to reflect that it is a only a DN of the suffix. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-replica-install support caless install with promotion.David Kupka2015-12-035-42/+199
| | | | | | https://fedorahosted.org/freeipa/ticket/5441 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Removed duplicate domain name validating functionStanislav Laznicka2015-12-026-43/+39
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modify error message to install first instance of KRAMartin Basti2015-12-021-1/+3
| | | | | | | | First instance of KRA should be installed by ipa-kra-install. https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-kra-install: allow to install first KRA on replicaMartin Basti2015-12-021-6/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Separated Tracker implementations into standalone packageMilan KubĂ­k2015-12-0217-1401/+1480
| | | | | | | | | | The previous way of implementing trackers in the module with the test caused circular imports. The separate package resolves this issue. https://fedorahosted.org/freeipa/ticket/5467 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* implement domain level 1 specific topology checks into IPA server uninstallerMartin Babinsky2015-12-022-27/+169
| | | | | | | | | | | | | When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* extract domain level 1 topology-checking code from ipa-replica-manageMartin Babinsky2015-12-022-97/+101
| | | | | | | | | | This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* translations: Update ipa.pot fileTomas Babej2015-12-021-2903/+3592
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Update Contributors.txtMartin Kosek2015-12-022-0/+21
| | | | | | | | Update .mailmap with misconfigured patch authors since the last feature release. Based on the git history, add new Developer contributors. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-28 21:13:34 +0000