summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Avoid calling ldap functions without a contextwipSimo Sorce2014-12-121-3/+16
| | | | | | | | | | | We need to make sure we have a ld context before we can load the configuration, otherwise ldap APIs will abort crashing the KDC. If we have an issue connecting to LDAP the lcontext will be NULL, but we are not checking that condition when we try to refresh the global configuration. Signed-off-by: Simo Sorce <simo@redhat.com>
* idviews: Ignore host or hostgroup options set to NoneTomas Babej2014-12-121-0/+6
| | | | | | | | | Since passing --hosts= or --hostsgroups= to idview-apply or unapply commands does not make sense, ignore it. https://fedorahosted.org/freeipa/ticket/4806 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Complain if host is already assigned the ID View in idview-applyTomas Babej2014-12-121-4/+5
| | | | | | | | | | | When running a idview-apply command, the hosts that were already assigned the desired view were silently ignored. Make sure such hosts show up in the list of failed hosts. https://fedorahosted.org/freeipa/ticket/4743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove dependency on subscription-managerGabe2014-12-111-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4783 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix don't check certificate during getting CA statusMartin Basti2014-12-111-0/+1
| | | | | | | | Due workaroud we accidentaly started to check certificate, which causes problems during installation. Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Increase required version for pytest-multihost pluginTomas Babej2014-12-111-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration: Parametrize test instead of using a generatorPetr Viktorin2014-12-111-12/+11
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration: Use collect_log from the host, not the testing classPetr Viktorin2014-12-111-8/+8
| | | | | | The testing class no longer has this method. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration: Use python-pytest-multihostPetr Viktorin2014-12-1115-1132/+527
| | | | | | | | | | | | The core integration testing functionality was split into a separate project. Use this project, and configure it for FreeIPA. The "mh" (multihost) fixture is made available for integration tests. Configuration based on environment variables is moved into a separate module, to ease eventual deprecation. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Stop saving the master key in a stash fileSimo Sorce2014-12-111-26/+0
| | | | | | | | This hasn't been used for a number of releases now, as ipa-kdb directly fetches the key via LDAP. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Show SSHFP record containing space in fingerprintMartin Basti2014-12-101-0/+8
| | | | | | | | | SSHFP records added by nsupdate contains extra space (valid), framework couldn't handle it. Ticket: https://fedorahosted.org/freeipa/ticket/4790 Ticket: https://fedorahosted.org/freeipa/ticket/4789 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Refer the user to freeipa.org when something goes wrong in ipa-cacert-manageJan Cholasta2014-12-101-5/+18
| | | | | | | https://fedorahosted.org/freeipa/ticket/4781 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Check subject name encoding in ipa-cacert-manage renewJan Cholasta2014-12-101-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4781 Reviewed-By: David Kupka <dkupka@redhat.com>
* Using wget to get status of CAMartin Basti2014-12-104-12/+38
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove usage of app_PYTHON in ipaserver MakefilesGabe2014-12-103-71/+0
| | | | | | | | - Remove ChangeLog from ipa-client/Makefile.am https://fedorahosted.org/freeipa/ticket/4700 Reviewed-By: Martin Basti <mbasti@redhat.com>
* revert removal of cn attribute from idnsRecordPetr Vobornik2014-12-091-1/+1
| | | | | | | | | The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes. https://fedorahosted.org/freeipa/ticket/4794 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve validation of --instance and --backend options in ipa-restoreJan Cholasta2014-12-093-31/+46
| | | | | | https://fedorahosted.org/freeipa/ticket/4744 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-1/+1
| | | | | | | | | | | Always use the full CSR when renewing the IPA CA certificate with Dogtag. The IPA CA certificate may be issued by an external CA, in which case renewal by serial number does not make sense and will fail if the IPA CA was initially installed as a subordinate of an external CA. https://fedorahosted.org/freeipa/ticket/4784 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-0/+2
| | | | | | | | | Reset profile name after requesting the CA cert from Dogtag to prevent the automatic renewal request from being restarted in subsequent calls. https://fedorahosted.org/freeipa/ticket/4765 Reviewed-By: David Kupka <dkupka@redhat.com>
* Upgrade fix: masking named should be executed only onceMartin Basti2014-12-091-14/+16
| | | | | | | | | There was error in code, masking was executed more times, even it was succesful https://fedorahosted.org/freeipa/ticket/4755 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: increase duration of notification messagesPetr Vobornik2014-12-091-1/+1
| | | | | | | | by 66% https://fedorahosted.org/freeipa/ticket/4792 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: fix service unprovisioningPetr Vobornik2014-12-091-1/+1
| | | | | | | | Missed part of field refactoring caused that service could not be unprovisioned. https://fedorahosted.org/freeipa/ticket/4770 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Prefer TCP connections to UDP in krb5 clientsNathaniel McCallum2014-12-083-0/+3
| | | | | | | | | | | | | | In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* hosts: Display assigned ID view by default in host-find and show commandsTomas Babej2014-12-054-9/+23
| | | | | | | | | | Makes ipaassignedidview a default attribute and takes care about the conversion from the DN to the proper ID view name. https://fedorahosted.org/freeipa/ticket/4774 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Create an OTP help topicNathaniel McCallum2014-12-053-0/+7
| | | | | | | This allows the various OTP related commands to be grouped together in the IPA CLI documentation. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-0512-153/+361
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* No explicit zone specification.Jan Pazdziora2014-12-051-6/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4780 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add --hosts and --hostgroup options to allow/retrieve keytab methodsPetr Vobornik2014-12-036-36/+257
| | | | | | | | | | | | | | | | | | `--hosts` and `--hostgroup` options added to: * service-allow-create-keytab * service-allow-retrieve-keytab * service-disallow-create-keytab * service-disallow-retrieve-keytab * host-allow-create-keytab * host-allow-retrieve-keytab * host-disallow-create-keytab * host-disallow-retrieve-keytab in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page https://fedorahosted.org/freeipa/ticket/4777 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Enable last token deletion when password auth type is configuredNathaniel McCallum2014-12-031-70/+173
| | | | | | | | | | | Also, ensure that the last token check only executes on DNs/entries that are tokens. This resolves a large performance issue where a query was being performed to load all the user's tokens on every del/mod operation. https://fedorahosted.org/freeipa/ticket/4697 https://fedorahosted.org/freeipa/ticket/4719 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Move authentication configuration cache into libotpNathaniel McCallum2014-12-0311-408/+346
| | | | | | | | This enables plugins to share authentication configuration cache code. Additionally, update the caching mechanism to be declarative and faster. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Preliminary refactoring of libotp filesNathaniel McCallum2014-12-0312-101/+90
| | | | | | | | There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* certs: Fix incorrect flag handling in load_cacertTomas Babej2014-12-022-5/+3
| | | | | | | | | | | | | For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make it a required argument. https://fedorahosted.org/freeipa/ticket/4779 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix indentation in ipa-restore pagePetr Vobornik2014-12-021-2/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update default NTP configurationGabe2014-12-021-1/+2
| | | | | | | | | - Add in missing 4th default ntp server - Add iburst to configuration https://fedorahosted.org/freeipa/ticket/4583 Reviewed-By: David Kupka <dkupka@redhat.com>
* Throw zonemgr error message before installation proceedsMartin Basti2014-12-012-30/+50
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4771 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-managed-entries requires password with bad passwordGabe2014-11-261-1/+4
| | | | | | | | - Add try/except when trying -p option to catch bad password https://fedorahosted.org/freeipa/ticket/4089 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-268-17/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Ignore ipap11helper/setup.py in doctestsPetr Viktorin2014-11-261-0/+1
| | | | | | | | | Pytest imports all modules when running doctests. The setup.py runs code on import, and raises an exception, depending on globa connand-line arguments, so it needs to be ignored. Also, pytest dislikes multiple top-level modules with the same name ("setup" in this case). Again ignoring is the way to go.
* Re-initialize NSS database after otptoken plugin testsTomas Babej2014-11-262-11/+25
| | | | | | | | | | | OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Catch USBError during YubiKey locationNathaniel McCallum2014-11-251-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4693 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix zonemgr option encoding detectionMartin Basti2014-11-251-1/+4
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4766 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* webui: add radius fields to user pagePetr Vobornik2014-11-251-0/+11
| | | | | | | | add --radius=ID --radius-username=radiusUserName to Web UI https://fedorahosted.org/freeipa/ticket/4686 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add TLS 1.2 to the protocol list in mod_nss configJan Cholasta2014-11-252-3/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* AD trust: improve trust validationAlexander Bokovoy2014-11-251-3/+16
| | | | | | | | | | | | | | | Trust validation requires AD DC to contact IPA server to verify that trust account actually works. It can fail due to DNS or firewall issue or if AD DC was able to resolve IPA master(s) via SRV records, it still may contact a replica that has no trust data replicated yet. In case AD DC still returns 'access denied', wait 5 seconds and try validation again. Repeat validation until we hit a limit of 10 attempts, at which point raise exception telling what's happening. https://fedorahosted.org/freeipa/ticket/4764 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix memory leak in GetKeytabControl asn1 codeJan Cholasta2014-11-251-1/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix unchecked return value in krb5 common utilsJan Cholasta2014-11-251-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix unchecked return value in ipa-joinJan Cholasta2014-11-251-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix unchecked return values in ipa-winsyncJan Cholasta2014-11-251-20/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix unchecked return value in ipa-kdbJan Cholasta2014-11-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix Kerberos error handling in ipa-samJan Cholasta2014-11-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-29 08:42:53 +0000