summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* CLDAP: Return empty reply on non-fatal errorsmy-masterSimo Sorce2013-05-231-6/+18
| | | | | | | | | | | | | | | Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* CLDAP: Fix domain handling in netlogon requestsSimo Sorce2013-05-231-28/+39
| | | | | | | | | | | | | 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* WIP: Check for account/pw expiration in pre-bindSimo Sorce2013-05-231-4/+53
| | | | | | | | Insure user accounts are valid and the password is not expired before allowing a password bind. TODO: handle returning a control with more detailed information about failures (only if explicitly requested by client)
* Add Delegation Info to MS-PACSimo Sorce2013-05-231-2/+160
|
* install: Add tool to convert from selfsign to dogtag CASimo Sorce2013-05-231-0/+305
|
* NO-PUSH: TODO and 2.0->3.0 upgrade notesSimo Sorce2013-05-232-0/+22
|
* NO-PUSH: silence libtool a bitSimo Sorce2013-05-231-0/+1
|
* NOPUSH: suppress make lint for speedSimo Sorce2013-05-231-3/+4
|
* Handle DIR type CCACHEs in test_cmdline properlyMartin Kosek2013-05-222-2/+2
| | | | | | Pass a whole krbV.CCache object to ldap2 connect() method so that it can properly detect both type and name of a CCAHE. Otherwise the test fails on systems with default DIR type CCACHE.
* Relax getkeytab test to allow additional messages on stderrPetr Viktorin2013-05-221-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3633
* ipa-client-install: Add 'debug' and 'show' statements to nsupdate commandsPetr Spacek2013-05-221-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3629
* Web UI: move ./_base/metadata_provider.js to ./metadata.jsPetr Vobornik2013-05-1712-15/+18
| | | | | | Metadata provider is IPA specific object, not a framework object, so it should not be in _base directory. https://fedorahosted.org/freeipa/ticket/3604
* Unite and move facet pre_ops to related modulesPetr Vobornik2013-05-174-123/+90
| | | | | | | | | | Facet pre_ops defined in ./facet module were moved to modules where facet are actually defined. Moved pre_ops were united with the ones defined for the facets in these modules. The move simplifies module dependencies - there is no reason to have general facet module dependent on specialized facet modules. Pre_ops uniting makes the code simpler. https://fedorahosted.org/freeipa/ticket/3605
* Move spec modifications from facet factories to pre_opsPetr Vobornik2013-05-176-85/+99
| | | | | | | | Spec modifications in factories makes inheritance and extensibility more difficult. Moving them to pre_ops allows modification of their output by other pre_ops. https://fedorahosted.org/freeipa/ticket/3605
* Do not display success message on failure in web UIAna Krivokapic2013-05-175-22/+53
| | | | https://fedorahosted.org/freeipa/ticket/3591
* Add OTP support to ipa-pwd-extopNathaniel McCallum2013-05-1710-58/+1368
| | | | | | | | | During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
* Remove unnecessary prefixes from ipa-pwd-extop filesNathaniel McCallum2013-05-175-6/+6
|
* Add the krb5/FreeIPA RADIUS companion daemonNathaniel McCallum2013-05-1715-64/+1723
| | | | | | | | | | | This daemon listens for RADIUS packets on a well known UNIX domain socket. When a packet is received, it queries LDAP to see if the user is configured for RADIUS authentication. If so, then the packet is forwarded to the 3rd party RADIUS server. Otherwise, a bind is attempted against the LDAP server. https://fedorahosted.org/freeipa/ticket/3366 http://freeipa.org/page/V3/OTP
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-173-1/+78
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-1710-10/+97
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Add ipaUserAuthType and ipaUserAuthTypeClassNathaniel McCallum2013-05-172-0/+6
| | | | | | | | | | This schema addition will be useful for future commits. It allows us to define permitted external authentication methods on both the user and global config. The implementation is generic, but the immediate usage is for otp support. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Prompt for nameserver IP address in dnszone-addAna Krivokapic2013-05-165-0/+161
| | | | | | | | | | | | | | Prompt for nameserver IP address in interactive mode of dnszone-add. Add a corresponding field to dnszone creation dialog in the web UI. This parameter is required if and only if: * New zone is a forward zone * Nameserver is defined inside the new zone Add a new unit test to cover this functionality. https://fedorahosted.org/freeipa/ticket/3603
* Remove redundancy from hbactest help textTomas Babej2013-05-151-2/+2
| | | | | | | I modified the SID in the second example so that result corresponds with the 5. example. https://fedorahosted.org/freeipa/ticket/3625
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-142-0/+19
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Remove leading zero from IPA_NUM_VERSIONPetr Viktorin2013-05-142-1/+18
| | | | | | | The numeric IPA_NUM_VERSION contained a leading zero, so it was treated as octal value in Python code instead of decimal. https://fedorahosted.org/freeipa/ticket/3622
* Fix: HBAC Test tab is missingPetr Vobornik2013-05-141-1/+1
| | | | | | | | Caused by typo in metadata provider source path. No metadata -> no HBAC test entity -> no tab https://fedorahosted.org/freeipa/ticket/3627
* Bump version for development branch to 3.2.99Rob Crittenden2013-05-101-1/+1
|
* Become 3.2.0Rob Crittenden2013-05-101-1/+1
|
* Fix SASL_NOCANON behavior for LDAPIMartin Kosek2013-05-101-1/+5
| | | | | Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222).
* Update translations from TransifexPetr Viktorin2013-05-0917-637/+3597
|
* Fix ipa-ca DNS name creationMartin Kosek2013-05-091-6/+10
| | | | | | | Previous fix (6d06a7e) did not work properly on a CA-less replica with CA-powered master. https://fedorahosted.org/freeipa/ticket/3617
* Do not add ipa-ca records on CA-less installsMartin Kosek2013-05-091-1/+1
| | | | | | ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617
* Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-serverRob Crittenden2013-05-092-0/+19
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607
* Only require libsss_nss_idmap-python in Fedora 19+Petr Viktorin2013-05-071-0/+5
| | | | | The package is only available in Fedora 19. This means SID resolution in the UI won't work in Fedora 18.
* Resolve SIDs in Web UIAlexander Bokovoy2013-05-067-6/+142
| | | | | | | | | | | | | | | | | Introduce new command, 'trust-resolve', to aid resolving SIDs to names in the Web UI. The command uses new SSSD interface, nss_idmap, to resolve actual SIDs. SSSD caches resolved data so that future requests to resolve same SIDs are returned from a memory cache. Web UI code is using Dojo/Deferred to deliver result of SID resolution out of band. Once resolved names are available, they replace SID values. Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved at the same time. They all sent within the single request to the server. https://fedorahosted.org/freeipa/ticket/3302
* Enable standalone facets in menu.add_itemPetr Vobornik2013-05-061-14/+14
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix crash on host deleletionPetr Vobornik2013-05-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix crash on ssh key addPetr Vobornik2013-05-061-7/+7
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix WebUI crash when server installed as CA-lessPetr Vobornik2013-05-061-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix trustconfig specificationPetr Vobornik2013-05-064-4/+118
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Navigation: handle invalid routesPetr Vobornik2013-05-062-11/+69
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Builder: Singleton_registry: return null when construction spec not availablePetr Vobornik2013-05-062-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix: make association facets in selfservice readonlyPetr Vobornik2013-05-061-7/+7
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Builder: fix join of pre_ops and post_ops arraysPetr Vobornik2013-05-064-5/+107
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Do not offer already added members in association dialogs when different casingPetr Vobornik2013-05-061-2/+12
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Switch customization and registration phasePetr Vobornik2013-05-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Generate plugin index dynamicallyPetr Vobornik2013-05-069-72/+90
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Remove entities.js, facets.jsPetr Vobornik2013-05-062-104/+0
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Replace ./facets with reg.facetPetr Vobornik2013-05-066-45/+39
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Fix rule table add/delete button enablementPetr Vobornik2013-05-061-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3235
generated by cgit (git 2.34.1) at 2025-08-30 22:32:26 +0000