summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* DNS Locations: hide option --no-msdcs in adtrust-installMartin Basti2016-06-272-16/+15
| | | | | | | | | Since DNS location mechanism is active, this option has no effect, because records are generate dynamically. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Revert "DNS Locations: do not generate location records for unused locations"Martin Basti2016-06-271-7/+4
| | | | | | | | | | | | | This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. After deeper investigation, we found out that empty locations are needed for clients, because clients may have cached records for longer time for that particular location. Only way how to remove location is to remove it using location-del https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix IssuerDN presence check in cert search resultFraser Tweedale2016-06-271-1/+1
| | | | | | | | | | | When checking for presence of IssuerDN in certificate search result, we mistakenly check for the presence of the SubjectDN field, then unsafely index into the IssuerDN field. Check the presence of IssuerDN correctly. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix incorrect construction of service principal during replica cleanupMartin Babinsky2016-06-271-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-rmkeytab, ipa-join: don't fail if init of gettext failedMartin Basti2016-06-272-2/+2
| | | | | | | | | | If locale setting was incorect, gettext failed to initialize and scripts failed. this commit replaces error exit with warning message. (Better to have untranslated output than fail) https://fedorahosted.org/freeipa/ticket/5973 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add missing nsSystemIndex attributesStanislav Laznicka2016-06-271-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5947 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: server-mod: fix if statementMartin Basti2016-06-271-1/+1
| | | | | | | | | Statement used for detection if objeclass change is needed was logically wrong, this fixes it. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Increase ipa-getkeytab LDAP timeout to 100secMartin Basti2016-06-271-2/+2
| | | | | | | | | On slower machines, the original time 10s is not enough. Raising timeout to 100sec should help. https://fedorahosted.org/freeipa/ticket/5842 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* mod_auth_gssapi: enable unique credential caches namesPetr Vobornik2016-06-242-2/+3
| | | | | | | | | | | | | | | | | mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
* ipapwd_extop should use TARGET_DN defined by a pre-extop pluginThierry Bordaz2016-06-242-9/+29
| | | | | | | | | | | | | | ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Tests: Fix ipatests/test_ipaserver/test_rpcserver.pyLenka Doudova2016-06-241-1/+0
| | | | | | Removed no longer valid assert. Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* topo segment-add: validate that both masters support target suffixStanislav Laznicka2016-06-241-3/+24
| | | | | | | | | This patch removes the ability to add segment between hosts where either does not support the requested suffix. https://fedorahosted.org/freeipa/ticket/5967 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix topologysuffix-verify failing connectionsStanislav Laznicka2016-06-242-3/+5
| | | | | | | | | topologysuffix-verify would have checked connectivity even between hosts that are not managed by the given suffix. https://fedorahosted.org/freeipa/ticket/5967 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Update Contributors.txtMartin Kosek2016-06-242-0/+2
| | | | | | | Update .mailmap to fix wrong commit author and re-generate the Developer contributor list. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Tests: Fix for failing location testsLenka Doudova2016-06-233-26/+87
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Server-del: fix system records removalMartin Basti2016-06-231-3/+3
| | | | | | | | | Services on replica to be removed must be deleted first, otherwise update of system records will not take this change into account https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix to ipa-ca-install asking for host principal passwordStanislav Laznicka2016-06-231-4/+3
| | | | | | | | | | | With a ca_cert_file specified in options, the nss_db was used before the certificates from the file were added to it, which caused an exception that led to fallback to ssh which is broken. https://fedorahosted.org/freeipa/ticket/5965 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* account for added krbcanonicalname attribute during xmlrpc testsMartin Babinsky2016-06-237-7/+19
| | | | | | | https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* set krbcanonicalname on host entry during krbinstance configurationMartin Babinsky2016-06-231-0/+1
| | | | | | | part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entitiesMartin Babinsky2016-06-235-8/+20
| | | | | | | | | | | Hosts, services, and (stage)-users will now have krbcanonicalname attribute set to the same value as krbprincipalname on creation. Moreover, new services will not have ipakrbprincipalalias set anymore. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-enrollment: set krbCanonicalName attribute on enrolled host entryMartin Babinsky2016-06-231-0/+15
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: set krbCanonicalName when creating new principalsMartin Babinsky2016-06-231-3/+1
| | | | | | | | | | Additionally, stop setting ipakrbprincipalalias attribute during principal creation. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* add krbCanonicalName to attributes watched by MODRDN pluginMartin Babinsky2016-06-231-0/+11
| | | | | | | https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* add case-insensitive matching rule to krbprincipalname indexMartin Babinsky2016-06-232-0/+12
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* mark 'ipaKrbPrincipalAlias' attribute as deprecated in schemaMartin Babinsky2016-06-231-1/+1
| | | | | | | part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* perform case-insensitive principal search when canonicalization is requestedMartin Babinsky2016-06-231-1/+12
| | | | | | | | | | | | | When canonicalization is requested, the krbprincipalname attribute is searched for case-insensitively. In the case that krbcanonicalname is not set, the matched alias is returned with the casing stored in backend, not the one input by client. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Require Dogtag >= 10.3.3Fraser Tweedale2016-06-231-3/+3
| | | | | | | | | | Dogtag 10.3.3 fixes a lightweight CA initialisation issue that caused existing lightweight CAs to not be initialised on CA replicas on first run (see https://fedorahosted.org/pki/ticket/2359). Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Report missing certificate in external trust chainFlorence Blanc-Renaud2016-06-231-2/+3
| | | | | | | | | | | | | When ipa-server-install is called with an external CA, but the cert chain is incomplete, the command exits with the following error: ERROR CA certificate chain in <list of --external-cert-file> is incomplete The fix adds in the log the name of the missing certificate: ERROR CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>' https://fedorahosted.org/freeipa/ticket/5792 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Topology plugins sigsev/heap corruption when adding a managed hostroot2016-06-221-0/+1
| | | | | | | | | | | | | | | A managed host may handle several ipaReplTopoManagedSuffix. Removing (from the topology) such host, loops over the replicated suffixes array to retrieve, in the hosts list, the host record and delete it. The problem is that a variable used to manage a hosts list is not reset when looking at the next suffix. That will messup the lists, keeping freed elements in the lists. The fix is to reset the variable inside the replicated suffix loop https://fedorahosted.org/freeipa/ticket/5977 Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* host/service-show/find shouldn't fail on invalid certificateStanislav Laznicka2016-06-223-5/+70
| | | | | | | | | | | host/service-show/find methods would have failed if the first certificate they had in userCertificate attribute were invalid. Expected behavior is that they just show the rest of the reqested attributes. https://fedorahosted.org/freeipa/ticket/5797 Reviewed-By: Martin Basti <mbasti@redhat.com>
* server-del: harden check for last rolesMartin Babinsky2016-06-221-28/+34
| | | | | | | | | | | | | The current implementation of check for last CA/DNS server and DNSSec key master in `server-del` is quite fragile and wroks with quite a few assumptions which may not be always true (CA and DNS is always configured etc.). This patch hardens the check so that it does not break when the above assuptions do not hold. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Become IPA 4.4.0 Alpha 1Petr Vobornik2016-06-211-3/+3
|
* Replica promotion: use the correct IPA domain for replicaMartin Basti2016-06-211-0/+29
| | | | | | | | | | | | | | | | | | IPA domain is detected from LDAP for replica promote installation. If local domain and IPA domain does not match, installer refuses to install replica. IPA versions 4.3.0 and 4.3.1 allow to specify different domain for replica. Only one IPA domain is allowed (domain used with master) and different domain may cause issues. This commit prevents to install new replica if multiple domains was used in past. User action is required to fix this issue and remove incorrect IPA domains from LDAP. https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS Servers: Web UI partPavel Vomacka2016-06-212-0/+55
| | | | | | | | | | Adds new page with DNS Servers and details page about each server. It is counterpart of dnsserver-{find,show,mod} CLI commands. Part of: https://fedorahosted.org/freeipa/ticket/5905 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Update Developers in Contributors.txtMartin Kosek2016-06-211-0/+8
| | | | | | Add the most recent development contributors to FreeIPA. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Allow to set weight of a server without locationPavel Vomacka2016-06-211-1/+2
| | | | | | | | | | There was a bug when a new server was added it was not possible to set weight until a location was set. This change corrects it and allows user to set a weight of server without location. Part of: https://fedorahosted.org/freeipa/ticket/5905 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* schema: return fingerprint as unicode textDavid Kupka2016-06-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add DNS default TTL fieldPavel Vomacka2016-06-211-0/+1
| | | | | | | | DNS default TTL is new field on DNS Zone Settings page. WebUI counterpart of: https://fedorahosted.org/freeipa/ticket/2956 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* schema: Cache schema in api instanceDavid Kupka2016-06-211-3/+11
| | | | | | | | | To avoid generating schema for every schema command call store schema in api instance when first generated and reuse it in next calls. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Add known_fingerprints option to schema commandDavid Kupka2016-06-215-3/+39
| | | | | | | | | | When client requests schema it can list fingerprints of cached schemas and server responds with SchemaUpToDate exception specifying fingeprint of schema to use. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Add fingerprint and TTLDavid Kupka2016-06-211-0/+36
| | | | | | | | | | Calculate fingerprint for schema in deterministic way. Send fingerprint value together with schema. Send TTL with schema to inform client about caching interval. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add placeholder to add segment dialogPavel Vomacka2016-06-213-0/+3
| | | | | | | | 'Autogenerated' placeholder is shown when adding new segment. https://fedorahosted.org/freeipa/ticket/5867 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add listener which opens add segment dialogPavel Vomacka2016-06-211-73/+107
| | | | | | | | | The event is emited by clicking on the second node when adding segment by mouse. The listener opens dialog and prefill values. Part of: https://fedorahosted.org/freeipa/ticket/5648 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add creating a segment using mousePavel Vomacka2016-06-212-24/+382
| | | | | | | | | | | Create new semicircles around the node after mouseover. These work as buttons to create arrow and after clicking on another node the Add topology segment dialog is opened. Also selecting segment works, if the segment already exists then the segment is selected instead of opening the dialog. https://fedorahosted.org/freeipa/ticket/5648 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* pylint: fix: multiple-statementsJan Barta2016-06-213-3/+6
| | | | Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* DNS: Fix realm domains integration with DNS zone add.Petr Spacek2016-06-211-2/+1
| | | | | | | | | | | | Realmdomains integration into DNS commands pre-dates split of DNS forward zones and DNS master zones into two distinct commands. There was an forgotten condition in dnszone_add command which caused omission of DNS master zones with non-empty forwarders from realmdomain list. https://fedorahosted.org/freeipa/ticket/5980 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend trust config pagePavel Vomacka2016-06-211-0/+10
| | | | | | | | Add list of AD trust agents and controllers to trust config page. Part of: https://fedorahosted.org/freeipa/ticket/5906 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend DNS config pagePavel Vomacka2016-06-211-0/+9
| | | | | | | | Add DNS servers list and DNSSEC key master to DNS config page in webui. Part of: https://fedorahosted.org/freeipa/ticket/5906 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Make Actions string translatablePavel Vomacka2016-06-212-3/+4
| | | | | | | | Remove hardcoded strings 'Actions ' and substitute them by strings from translatable strings. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Do not update result of *-config-show with empty server attributesMartin Babinsky2016-06-211-3/+5
| | | | | | | | | | | | If a server attribute such as DNSSec Key master is unset, None is passed as the attribute value into the upper API layers and displayed in the output of `dnsconfig-show` et al. We should not show this and leave the attribute empty instead. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 11:07:24 +0000