| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
|
| |
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.
Properly freeing the NSS objects avoid this crash.
https://fedorahosted.org/freeipa/ticket/3773
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3811
|
| |
|
|
| |
Variable was set, but it was not used.
|
| | |
|
| |
|
|
| |
warning: passing argument from incompatible pointer type
|
| |
|
|
|
|
|
| |
Add ldap_connect() method to Host to allow executing querying LDAP from tests.
Use information in the mapping tree to poll until all replication is finished
(or failing) before checking that entries replicated successfully.
|
| | |
|
| |
|
|
|
| |
The beakerLib plugin collects log files via compressed tarballs,
so these dependencies are needed
|
| |
|
|
|
|
|
| |
This script makes common testing tasks such as IPA installation
and uninstallation available outside of Python.
https://fedorahosted.org/freeipa/ticket/3721
|
| |
|
|
|
|
|
| |
This allows a cluster of replicas and clients to be installed
in a named topology.
Several named topologies are available (star, line, complete, tree,
tree2) and new ones can be defined as a simple function.
|
| |
|
|
|
|
|
|
| |
- install_client
- connect_replica
- disconnect_replica
- prepare_host
- kinit_admin
|
| |
|
|
|
| |
For complex topologies the CA needs to be available on most
replicas, since only servgers with a CA can prepare replica files.
|
| |
|
|
| |
This allows collecting logs when a test context is not available.
|
| |
|
|
| |
This allows reusing the code elsewhere
|
| |
|
|
|
|
|
|
|
|
| |
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.
Both freeipa-server and freeipa-client require freeipa-python.
https://fedorahosted.org/freeipa/ticket/3808
|
| | |
|
| |
|
|
| |
Pick up latest SSSD 1.11 Beta development
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
| |
|
|
| |
No other param/field has 'field' in a label.
|
| |
|
|
| |
Long words (ie. service principal) breaks out of notification area. It doesn't look good. Patch adds word-wrap to break them to multiple pieces.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.
https://fedorahosted.org/freeipa/ticket/3803
|
| |
|
|
|
|
|
|
|
|
| |
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.
For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
| |
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch optimizes options used in commands executed by search pages.
1) Removed --all from _find and _show commands used by search pages. All displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of paging.
3) Added --no-members options to search _show commmands. Members are not displayed on search pages and such change drastically improves performance. It reduces computations on server and amount of data transferred to Web UI.
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
|
|
|
| |
Fix internal error in idrange-add, caused by a missing 'name' argument of
ValidationError.
https://fedorahosted.org/freeipa/ticket/3781
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3771
|
| |
|
|
|
|
|
| |
IPA uses "ipa" as the "package name" for all translations,
even in the ipa-client package.
https://fedorahosted.org/freeipa/ticket/3695
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3772
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3785
|
| |
|
|
|
|
|
|
| |
The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.
https://fedorahosted.org/freeipa/ticket/3782
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3749
|
| |
|
|
|
|
|
|
|
|
| |
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
|
| |
|
|
|
|
| |
Also add an option to ipautil.run to redirect command output to /dev/null.
https://fedorahosted.org/freeipa/ticket/3767
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
|
| |
|
|
|
|
| |
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
| |
Host and DNS adder dialogs used span element as container for block elements. It's not valid nor consistent with other forms.
'span' was replaced by 'div'
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
| |
1. add class to active facet instead of using direct style modification for hiding/showing
2. add name attribute to tables and dialog buttons and error dialog
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3434
|
