summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* extdom: handle ERANGE return code for getXXYYY_r() callsSumit Bose2015-03-097-84/+498
| | | | | | | | | | | | The getXXYYY_r() calls require a buffer to store the variable data of the passwd and group structs. If the provided buffer is too small ERANGE is returned and the caller can try with a larger buffer again. Cmocka/cwrap based unit-tests for get*_r_wrapper() are added. Resolves https://fedorahosted.org/freeipa/ticket/4908 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add configure check for cwrap librariesSumit Bose2015-03-091-0/+24
| | | | | | | | | Currently only nss-wrapper is checked, checks for other crwap libraries can be added e.g. as AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER) Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove unused disable-betxn.ldif fileMartin Basti2015-03-092-62/+0
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* p11helper: clarify error messagePetr Spacek2015-03-061-1/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* p11helper: use sizeof() instead of magic constantsPetr Spacek2015-03-061-6/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* p11helper: standardize indentation and other visual aspects of the codePetr Spacek2015-03-061-589/+744
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused method from ipap11pkcs helper moduleMartin Basti2015-03-061-51/+0
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix memory leaks in ipap11helperMartin Basti2015-03-061-117/+194
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC add support for CKM_RSA_PKCS_OAEP mechanismMartin Basti2015-03-061-3/+73
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Limit deadlocks between DS plugin DNA and slapi-nisroot2015-03-051-0/+5
| | | | | | | | | | Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config are updated at the same time. Schema-compat should ignore update on DNA config. https://fedorahosted.org/freeipa/ticket/4927 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Restore default.conf and use it to build API.David Kupka2015-03-051-16/+48
| | | | | | | | | When restoring ipa after uninstallation we need to extract and load configuration of the restored environment. https://fedorahosted.org/freeipa/ticket/4896 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix uniqueness pluginsMartin Basti2015-03-053-127/+48
| | | | | | | | | | | | * add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users will not be forced to have unique uid * remove unneded update plugins -> update was moved to .update file * add uniqueness-across-all-subtrees required by user lifecycle management Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Migrate uniquess plugins configuration to new styleMartin Basti2015-03-053-31/+232
| | | | | | | New configuration style contains options required for user lifecycle management. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* replica-install: Use different API instance for the remote serverJan Cholasta2015-03-052-157/+133
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ldap2: Use self API instance instead of ipalib.apiJan Cholasta2015-03-051-13/+32
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* advise: Add separate API object for ipa-adviseJan Cholasta2015-03-055-82/+79
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Move plugin package setup to ipalib-specific API subclassJan Cholasta2015-03-052-9/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Allow multiple API instancesJan Cholasta2015-03-054-151/+185
| | | | | | | | | | | Merged the Registrar class into the Registry class. Plugins are now registered globally instead of in ipalib.api and are instantiated per-API instance. Different set of plugin base classes can be used in each API instance. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.David Kupka2015-03-051-2/+8
| | | | | | | | | | | ipa-client-automount is run after ipa-client-install so the CA certificate should be available. If the certificate is not available and ipadiscovery.ipacheckldap returns NO_TLS_LDAP warn user and try to continue. https://fedorahosted.org/freeipa/ticket/4902 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipatests: Add tests for valid and invalid ipa-adviseGabe2015-02-261-0/+134
| | | | | | | | | - Add test for invalid run of the ipa-advise command - Add tests for valid runs of the ipa-advise command https://fedorahosted.org/freeipa/ticket/4029 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare should document ipv6 optionsGabe2015-02-261-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4877 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: service: add ipakrbrequirespreauth checkboxPetr Vobornik2015-02-261-0/+5
| | | | | | Allow to configure missing krb ticket flag - ipakrbrequirespreauth from Web UI. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-range-check: do not treat missing objects as errorSumit Bose2015-02-241-2/+3
| | | | | | | | | | | | Currently the range check plugin will return a 'Range Check error' message if a ldapmodify operation tries to change a non-existing object. Since the range check plugin does not need to care about non-existing objects we can just return 0 indicating that the range check plugin has done its work. Resolves https://fedorahosted.org/freeipa/ticket/4924 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* idviews: Use case-insensitive detection of Default Trust ViewTomas Babej2015-02-231-6/+9
| | | | | | | | | The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Stop including the DES algorythm from openssl.Simo Sorce2015-02-232-3/+2
| | | | | | | | | Since we dropped support for LANMAN hashes we do not need DES from OpenSSL anymore. Stop including an testing for it. Test for the MD4 algorythm instead whichis still used for the NT Hashes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Add a clear OpenSSL exception.Simo Sorce2015-02-233-0/+23
| | | | | | | | We are linking with OpenSSL in 2 files, so make it clear we intentionally add a GPLv3 exception to allow that linking by third parties. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Remove references to GPL v2.0 licenseMartin Kosek2015-02-203-94/+30
| | | | | | | | | | | | All FreeIPA original code should be licensed to GPL v3+ license, update the respective files: - daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c Remove GPL v2.0 license files from LDIFs or template to keep consistency. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipalib: Make sure correct attribute name is referenced for faxTomas Babej2015-02-192-2/+2
| | | | | | | | | | Fixes the invalid attribute name reference in the 'System: Read User Addressbook Attributes' permission. https://fedorahosted.org/freeipa/ticket/4883 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipatests: Add coverage for adding and removing sshpubkeys in ID overridesTomas Babej2015-02-191-0/+61
| | | | | | | | | | | Adds xmlrpc tests for: - Adding a user ID override with sshpubkey - Modifying a user ID override to contain sshpubkey - Removing a sshpubkey value from a user ID override https://fedorahosted.org/freeipa/ticket/4868 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipatests: add missing ssh object classes to idoverrideuserPetr Vobornik2015-02-191-0/+2
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Changing the token owner changes also the managerMartin Babinsky2015-02-181-0/+13
| | | | | | | | | | This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise. https://fedorahosted.org/freeipa/ticket/4681 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* group-detach does not add correct objectclassesMartin Kosek2015-02-181-0/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/4874 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix saving named restore statusMartin Basti2015-02-181-2/+4
| | | | | | | Accidentaly status was stored after service was stopped by installer Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Uninstall configured services onlyMartin Basti2015-02-182-6/+14
| | | | | | | | | | Fixes: dnskeysyncisntance - requires a stored state to be uninstalled bindinstance - uninstal service only if bind was configured by IPA Ticket:https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix do not enable service before storing statusMartin Basti2015-02-181-1/+0
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix restoring services status during uninstallMartin Basti2015-02-1810-60/+58
| | | | | | | | | Services hasn't been restored correctly, which causes disabling already disabled services, or some service did not start. This patch fix these issues. Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix TOTP Synchronization Window labelPetr Vobornik2015-02-171-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* permission-add does not prompt for ipapermright in interactive modeGabe2015-02-163-3/+4
| | | | | | | | | - Add flag "ask_create" to ipalib/plugins/permission.py - Bump API version https://fedorahosted.org/freeipa/ticket/4872 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: exit with error message if no users/groups to migrate are foundMartin Babinsky2015-02-161-0/+6
| | | | | | | | | 'ipa migrate-ds' will now exit with error message if no suitable users/groups are found on LDAP server during migration. https://fedorahosted.org/freeipa/ticket/4846 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-kdb: reject principals from disabled domains as a KDC policyAlexander Bokovoy2015-02-161-1/+1
| | | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4788 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: when processing transitions, hand over unknown ones to KDCAlexander Bokovoy2015-02-161-1/+2
| | | | | | | | | | | When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Handle DAL ABI change in MIT 1.13Simo Sorce2015-02-132-0/+14
| | | | | | | | | | | | | In this new MIT version the DAL interface changes slightly but KRB5_KDB_DAL_MAJOR_VERSION was not changed. Luckily KRB5_KDB_API_VERSION did change and that's enough to know what to compile in. Resolves: https://fedorahosted.org/freeipa/ticket/4861 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix warning message on client sideMartin Basti2015-02-131-1/+3
| | | | | | | | Add message about only on server side. https://fedorahosted.org/freeipa/ticket/4793 Reviewed-By: David Kupka <dkupka@redhat.com>
* Prevent install scripts fail silently if timeout exceededMartin Basti2015-02-121-1/+1
| | | | | | | socket.timeout() exceptions need description, otherwise no error message is printed on console. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-127-10/+14
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Bump 389-ds-base and pki-ca dependencies for POODLE fixesJan Cholasta2015-02-101-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix reference counting in pkcs11 extensionMartin Basti2015-02-101-28/+25
| | | | | | | | | * removed unneeded reference increment * added increment of Py_None Part of ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-client-install: put eol character after the last line of altered config ↵Martin Babinsky2015-02-101-0/+3
| | | | | | | | file(s) https://fedorahosted.org/freeipa/ticket/4864 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Typos in ipa-rmkeytab options help and man pageGabe2015-02-102-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4890 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* OTP: emit a log message when LDAP entry for config record is not foundMartin Babinsky2015-01-302-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch proposes a fix to the following defect found by covscan of FreeIPA master code: """ Error: CHECKED_RETURN (CWE-252): /daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling "slapi_search_internal_get_entry" without checking return value (as is done elsewhere 14 out of 16 times). /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402: example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != 0". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign: Example 2: Assigning: "ret" = return value from "slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked: Example 2 (cont.): "ret" has its value checked in "ret". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example 3: Assigning: "search_result" = return value from "slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked: Example 3 (cont.): "search_result" has its value checked in "search_result != 0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign: Example 4: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5 (cont.): "ret" has its value checked in "ret == 10". """ The patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2026-03-12 13:15:54 +0000