| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
If the user has already run kinit try to use those credentials.
The user can always override by explicitly passing the -p flag.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Fixes a number of places where api was not passed around internally.
Also allows to install dns in replica promotion which requires an
alternative api to be created with the right configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
servers.
Ticket: https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
The DNA plugin needed to be fixed to deal with replica binddn groups.
Version 1.3.4.4 is needed for that.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
fixes a regression introduced during fixing
https://fedorahosted.org/freeipa/ticket/5184
https://fedorahosted.org/freeipa/ticket/5335
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In beaker lab the situation when master and replica have ip addresses from
different subnets is quite frequent. When a replica has ip from different
subnet than master's, ipa-replica-prepare looks up a proper reverse zone to
add a pointer record, and if it does not find it, it asks a user for permission
to create it automatically. It breaks the tests adding the unexpected input.
The workaround is to always create a reverse zone for a new replica.
Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5306
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
| |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
| |
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
By adding no_members option to commands which supports it.
It then skips memberof procession on the server side.
https://fedorahosted.org/freeipa/ticket/5271
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
https://fedorahosted.org/freeipa/ticket/5333
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Previous patches for this ticket introduced error, that replica install
requires to specify -r, -p and -a option in unattended mode.
This options are not needed on replica side.
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Milan Kubík <mkubik@redhat.com>
|
|
|
|
|
|
|
|
| |
- Add DNSSEC option ipa-replica-install and ipa-server-install man page as well
https://fedorahosted.org/freeipa/ticket/5300
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
| |
Reviewed-By: Milan Kubík <mkubik@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the names of the external groups containing the migrated users
must be stripped of characters which are not valid for use in group names,
two different groups might be mapped to one during this process.
Properly handle collisions in the names by adding an incremental
numeric suffix.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During the migration from winsync replicated users to their
trusted identities, memberships are being preserved. However,
trusted users are external and as such cannot be added as
direct members to the IPA entities. External groups which
encapsulate the migrated users are added as members to those
entities instead.
The name of the external group is generated from the type
of the entity and its name. However, the entity's name can
contain characters which are invalid for use in the group
name.
Adds a helper function to convert a given string to a string
which would be valid for such use and leverages it in the
winsync-migrate tool.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This will force recreation of the file-based ccache after IPA restore and
prevent a mismatch between cached and restored Kerberos keys.
https://fedorahosted.org/freeipa/ticket/5296
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Causes nicer error message when kerberos credentials are not available.
https://fedorahosted.org/freeipa/ticket/5272
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
https://fedorahosted.org/freeipa/ticket/5297
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
| |
Instantiate CAInstall only once instead of 3 times in a row always with the
same values.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
In the dogtag/ca/kra instances self.domain is never used.
Remove it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
unlimited minvalue
https://fedorahosted.org/freeipa/ticket/4023
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intended course of action is to show manual configuration in
browserconfig.html instead of configuration with the extension
for versions of Firefox >= 40.
The reasoning is:
* plan for enterprise environments was not published yet which
forces as to use AMO (addons.mozilla.org)
* with AMO the user experience is worse than a manual configuration
steps for AMO:
* go to AMO page
* installed the extension
* go back to IPA page
* probably refresh
* click configure
* confirm
manual config:
* go to about:config
* set network.negotiate-auth.trusted-uris with *domain.name
https://fedorahosted.org/freeipa/ticket/4906
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
| |
addifnew should add value only if entry exists, instead of creating
entry.
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Limit max age of replication changelog to seven days, instead of grow to
unlimited size.
https://fedorahosted.org/freeipa/ticket/5086
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Do not allow vault and container owners to manage owners. Allow adding vaults
and containers only if owner is set to the current user.
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
| |
This reverts commit 419754b1c11139435ae5b5082a51026da0d5e730.
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds commands:
* vaultcontainer-show [--service <service>|--user <user>|--shared ]
* vaultcontainer-del [--service <service>|--user <user>|--shared ]
* vaultcontainer-add-owner
[--service <service>|--user <user>|--shared ]
[--users <users>] [--groups <groups>] [--services <services>]
* vaultcontainer-remove-owner
[--service <service>|--user <user>|--shared ]
[--users <users>] [--groups <groups>] [--services <services>]
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
| |
Under Python 2, "str" and "bytes" are synonyms.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
| |
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
- As Chromium and Chrome share most of the same code base but are
configured in different locations, add a note showing the different
configuration locations.
A part of https://fedorahosted.org/freeipa/ticket/823
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
| |
Reviewed-By: Milan Kubík <mkubik@redhat.com>
|
|
|
|
| |
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
|
|
|
|
|
| |
Test disabling and re-enabling zone signing.
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1262315
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|