summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
...
* Bump ipa.conf version to 17.David Kupka2015-03-301-1/+1
| | | | | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Use mod_auth_gssapi instead of mod_auth_kerb.David Kupka2015-03-301-11/+5
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Remove unused part of ipa.conf.David Kupka2015-03-301-15/+0
| | | | | | | | | | Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from IPA 1.0. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Server Upgrade: remove --test optionMartin Basti2015-03-191-5/+0
| | | | | | | | | As --test option is not used for developing, and it is not recommended to test if upgrade will pass, this path removes it copmletely. https://fedorahosted.org/freeipa/ticket/3448 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-dns-install: use LDAPI to connect to DSMartin Babinsky2015-03-182-39/+24
| | | | | | | | | | | | | ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of DNS/DNSSEC-related service and thus makes -p option obsolete. Futhermore, now it makes more sense to use LDAPI also for API Backend connections to DS and thus all forms of Kerberos auth were removed. This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer to fixing https://fedorahosted.org/freeipa/ticket/2957 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-dns-install: use STARTTLS to connect to DSMartin Babinsky2015-03-181-4/+8
| | | | | | | BindInstance et al. now use STARTTLS to set up secure connection to DS during ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-prepare can only be created on the first masterGabe2015-03-131-2/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4944 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove unused disable-betxn.ldif fileMartin Basti2015-03-092-62/+0
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* Limit deadlocks between DS plugin DNA and slapi-nisroot2015-03-051-0/+5
| | | | | | | | | | Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config are updated at the same time. Schema-compat should ignore update on DNA config. https://fedorahosted.org/freeipa/ticket/4927 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix uniqueness pluginsMartin Basti2015-03-052-36/+48
| | | | | | | | | | | | * add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users will not be forced to have unique uid * remove unneded update plugins -> update was moved to .update file * add uniqueness-across-all-subtrees required by user lifecycle management Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Migrate uniquess plugins configuration to new styleMartin Basti2015-03-052-30/+30
| | | | | | | New configuration style contains options required for user lifecycle management. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* replica-install: Use different API instance for the remote serverJan Cholasta2015-03-051-131/+106
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare should document ipv6 optionsGabe2015-02-261-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4877 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: service: add ipakrbrequirespreauth checkboxPetr Vobornik2015-02-261-0/+5
| | | | | | Allow to configure missing krb ticket flag - ipakrbrequirespreauth from Web UI. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove references to GPL v2.0 licenseMartin Kosek2015-02-202-82/+0
| | | | | | | | | | | | All FreeIPA original code should be licensed to GPL v3+ license, update the respective files: - daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c Remove GPL v2.0 license files from LDIFs or template to keep consistency. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Uninstall configured services onlyMartin Basti2015-02-181-2/+8
| | | | | | | | | | Fixes: dnskeysyncisntance - requires a stored state to be uninstalled bindinstance - uninstal service only if bind was configured by IPA Ticket:https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-122-0/+2
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use 'remove-ds.pl' to remove DS instanceMartin Babinsky2015-01-271-1/+5
| | | | | | | | | | | The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Revert "Make all ipatokenTOTP attributes mandatory"Jan Cholasta2015-01-211-1/+1
| | | | | | | | | | | | This prevents schema replication conflicts which cause replication failures with older versions of IPA. Details in https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7 This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Replication Administrators cannot remove replication agreementsMartin Kosek2015-01-201-0/+11
| | | | | | | | | | | | Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Allow Replication Administrators manipulate Winsync AgreementsMartin Kosek2015-01-192-1/+24
| | | | | | | | | | | | | Replication Administrators members were not able to set up changelog5 entry in cn=config or list winsync agreements. To allow reading winsync replicas, the original deny ACI cn=replica had to be removed as it prevented admins from reading the entries, but just anonymous/authenticated users. https://fedorahosted.org/freeipa/ticket/4836 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow PassSync user to locate and update NT usersMartin Kosek2015-01-191-0/+30
| | | | | | | | | | | | | | | Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix validation of ipa-restore optionsJan Cholasta2015-01-141-4/+4
| | | | | | | | | | | | | | | Fix restore mode checks. Do some of the existing checks earlier to make them effective. Check if --instance and --backend exist both in the filesystem and in the backup. Log backup type and restore mode before performing restore. Update ipa-restore man page. https://fedorahosted.org/freeipa/ticket/4797 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make certificate renewal process synchronizedJan Cholasta2015-01-139-6/+102
| | | | | | | | Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Restart dogtag when its server certificate is renewedJan Cholasta2015-01-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix CA certificate renewal syslog alertJan Cholasta2015-01-131-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4820 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix: Upgrade forwardzones zones after adding newer replicaMartin Basti2015-01-092-0/+3
| | | | | | | | Patch fixes issue, when forwardzones has not been upgraded after adding replica >=4.0 into topology with IPA 3.x servers. Ticket: https://fedorahosted.org/freeipa/ticket/4818 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Remove the removal of the ccacheSimo Sorce2015-01-081-1/+0
| | | | | | | | | | | | | | It is not necessary to remove the ccache on upgrades on modern IPA servers, even if the ccache contains stale data either it is re-initialized by mod_auth_kerb or a new ccache collection is created (if completely unrelated credentials were present), at least when using DIR or keyring ccaches. This line causes wrong SELinux labels to be set in the kernel keyring on uprades, which the cause the apache server to fail to use th ccache. https://fedorahosted.org/freeipa/ticket/4815 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Using wget to get status of CAMartin Basti2014-12-101-4/+0
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* revert removal of cn attribute from idnsRecordPetr Vobornik2014-12-091-1/+1
| | | | | | | | | The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes. https://fedorahosted.org/freeipa/ticket/4794 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-1/+1
| | | | | | | | | | | Always use the full CSR when renewing the IPA CA certificate with Dogtag. The IPA CA certificate may be issued by an external CA, in which case renewal by serial number does not make sense and will fail if the IPA CA was initially installed as a subordinate of an external CA. https://fedorahosted.org/freeipa/ticket/4784 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-0/+2
| | | | | | | | | Reset profile name after requesting the CA cert from Dogtag to prevent the automatic renewal request from being restarted in subsequent calls. https://fedorahosted.org/freeipa/ticket/4765 Reviewed-By: David Kupka <dkupka@redhat.com>
* Upgrade fix: masking named should be executed only onceMartin Basti2014-12-091-14/+16
| | | | | | | | | There was error in code, masking was executed more times, even it was succesful https://fedorahosted.org/freeipa/ticket/4755 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: increase duration of notification messagesPetr Vobornik2014-12-091-1/+1
| | | | | | | | by 66% https://fedorahosted.org/freeipa/ticket/4792 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: fix service unprovisioningPetr Vobornik2014-12-091-1/+1
| | | | | | | | Missed part of field refactoring caused that service could not be unprovisioned. https://fedorahosted.org/freeipa/ticket/4770 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Prefer TCP connections to UDP in krb5 clientsNathaniel McCallum2014-12-082-0/+2
| | | | | | | | | | | | | | In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* hosts: Display assigned ID view by default in host-find and show commandsTomas Babej2014-12-051-1/+0
| | | | | | | | | | Makes ipaassignedidview a default attribute and takes care about the conversion from the DN to the proper ID view name. https://fedorahosted.org/freeipa/ticket/4774 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-052-0/+14
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix indentation in ipa-restore pagePetr Vobornik2014-12-021-2/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-managed-entries requires password with bad passwordGabe2014-11-261-1/+4
| | | | | | | | - Add try/except when trying -p option to catch bad password https://fedorahosted.org/freeipa/ticket/4089 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-267-13/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: add radius fields to user pagePetr Vobornik2014-11-251-0/+11
| | | | | | | | add --radius=ID --radius-username=radiusUserName to Web UI https://fedorahosted.org/freeipa/ticket/4686 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add TLS 1.2 to the protocol list in mod_nss configJan Cholasta2014-11-251-0/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* copy_schema_to_ca: Fallback to old import location for ipaplatform.servicesPetr Viktorin2014-11-251-1/+5
| | | | | | | | | | This file is copied to older servers that might not have the ipaplatform refactoring. Import from the old location if the new one is not available. https://fedorahosted.org/freeipa/ticket/4763 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: normalize idview tab labelsPetr Vobornik2014-11-241-3/+3
| | | | | | | | ID View tab labels are no longer redundant. https://fedorahosted.org/freeipa/ticket/4650 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: use domain name instead of domain SID in idrange adder dialogPetr Vobornik2014-11-241-9/+7
| | | | | | | | It's more user friendly. Almost nobody remembers SIDs. https://fedorahosted.org/freeipa/ticket/4661 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: fix potential XSS vulnerabilitiesPetr Vobornik2014-11-205-10/+13
| | | | | | | | | | | Escape user defined text to prevent XSS attacks. Extra precaution was taken to escape also parts which are unlikely to contain user-defined text. fixes CVE-2014-7850 https://fedorahosted.org/freeipa/ticket/4742 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Show warning instead of error if CA did not startMartin Basti2014-11-201-0/+4
| | | | | | | | This is just workaround, checking if CA is working raises false positive exception during upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix wrong expiration date on renewed IPA CA certificatesJan Cholasta2014-11-191-0/+2
| | | | | | | | | The expiration date was always set to the expiration date of the original certificate. https://fedorahosted.org/freeipa/ticket/4717 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-181-0/+14
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 06:18:32 +0000