| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4750
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
wait_for_dns value should be an integer so default value was changed from
False to 0.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
`json.dumps` is not able to process some IPA's object types and therefore requires to preprocess it with `json_encode_binary` call. This step was not used in rpcclient's verbose output.
https://fedorahosted.org/freeipa/ticket/4773
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After ACI refactoring, admin cannot read Schema Compatibility plugin configuration and therefore migrade-ds won't find if compat plugin is enabled.
Now the check si done by looking if cn=compat subtree is present.
https://fedorahosted.org/freeipa/ticket/4825
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4805
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new SSSD Requires contains support for following features:
- FreeIPA user ID View overrides (not just AD users)
- User SSH public keys in ID Views
- krb5.conf localauth plugin
https://fedorahosted.org/freeipa/ticket/4685
https://fedorahosted.org/freeipa/ticket/4509
https://fedorahosted.org/freeipa/ticket/4514
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.
Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is not necessary to remove the ccache on upgrades on modern IPA
servers, even if the ccache contains stale data either it is re-initialized by
mod_auth_kerb or a new ccache collection is created (if completely unrelated
credentials were present), at least when using DIR or keyring ccaches.
This line causes wrong SELinux labels to be set in the kernel keyring on
uprades, which the cause the apache server to fail to use th ccache.
https://fedorahosted.org/freeipa/ticket/4815
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to make sure we have a ld context before we can load the
configuration, otherwise ldap APIs will abort crashing the KDC.
If we have an issue connecting to LDAP the lcontext will be NULL, but
we are not checking that condition when we try to refresh the global
configuration.
https://fedorahosted.org/freeipa/ticket/4810
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This was done previosly but accidentally removed when later with patch for
ticket #3575.
https://fedorahosted.org/freeipa/ticket/4817
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The plugin for BeakerLib integration was split into a separate project.
If BeakerLib integration is desired, python-pytest-beakerlib shoule be
installed separately.
The IPA-specific beakerlib integration only sets up logging to BeakerLib,
if the plugin is active.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4809
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
| |
Remove the copy-pate error that used number of required replicas instead.
https://fedorahosted.org/freeipa/ticket/4809
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Multihost object was is not passed to the install method in the super construction.
This fixes setup errors in AD Trust, Forced client reenrollment, CALess and Sudo
tests.
https://fedorahosted.org/freeipa/ticket/4809
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since passing --hosts= or --hostsgroups= to idview-apply or unapply
commands does not make sense, ignore it.
https://fedorahosted.org/freeipa/ticket/4806
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When running a idview-apply command, the hosts that were already assigned
the desired view were silently ignored. Make sure such hosts show up in
the list of failed hosts.
https://fedorahosted.org/freeipa/ticket/4743
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4783
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Due workaroud we accidentaly started to check certificate, which causes
problems during installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
The testing class no longer has this method.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
| |
This hasn't been used for a number of releases now, as ipa-kdb directly
fetches the key via LDAP.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
SSHFP records added by nsupdate contains extra space (valid), framework
couldn't handle it.
Ticket: https://fedorahosted.org/freeipa/ticket/4790
Ticket: https://fedorahosted.org/freeipa/ticket/4789
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4781
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4781
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
This is just workaround
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
- Remove ChangeLog from ipa-client/Makefile.am
https://fedorahosted.org/freeipa/ticket/4700
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes.
https://fedorahosted.org/freeipa/ticket/4794
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4744
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.
https://fedorahosted.org/freeipa/ticket/4784
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.
https://fedorahosted.org/freeipa/ticket/4765
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
There was error in code, masking was executed more times, even it was
succesful
https://fedorahosted.org/freeipa/ticket/4755
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
by 66%
https://fedorahosted.org/freeipa/ticket/4792
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Missed part of field refactoring caused that service could not be unprovisioned.
https://fedorahosted.org/freeipa/ticket/4770
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general, TCP is a better fit for FreeIPA due to large packet sizes.
However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.
https://fedorahosted.org/freeipa/ticket/4725
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.
https://fedorahosted.org/freeipa/ticket/4774
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
This allows the various OTP related commands to be grouped together
in the IPA CLI documentation.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4780
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.
https://fedorahosted.org/freeipa/ticket/4697
https://fedorahosted.org/freeipa/ticket/4719
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
| |
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
| |
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
- Add in missing 4th default ntp server
- Add iburst to configuration
https://fedorahosted.org/freeipa/ticket/4583
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4771
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
