summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Convert ipa-sam to use the new getkeytab controlSimo Sorce2015-12-111-0/+1
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495
* Allow to specify Kerberos authz data type per userSimo Sorce2015-12-111-1/+1
| | | | | | | | | | | Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579
* Disable User's ability to use the setkeytab exop.Simo Sorce2015-12-111-0/+1
| | | | | | | | | | | | Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485
* Use only AES enctypes by defaultSimo Sorce2015-12-111-2/+0
| | | | | | | | | | Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740
* topology: Fix: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+1
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, howver, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, whic was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* topology: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+3
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, however, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, which was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-071-1/+0
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: allow members of ipaservers to set up replicationJan Cholasta2015-12-072-0/+26
| | | | | | | | | | | | | | | Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-072-17/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: add IPA servers host group 'ipaservers'Jan Cholasta2015-12-073-0/+25
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* check whether replica exists before executing the domain level 1 deletion codeMartin Babinsky2015-12-041-7/+11
| | | | | | | | | | | Move this check before the parts that check topology suffix connectivity, wait for removed segments etc. If the hostname does not exist, it should really be one of the first errors user encounters during ipa-replica-manage del. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add '--auto-forwarders' description to server/replica/DNS installer man pagesMartin Babinsky2015-12-043-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add auto-forwarders option to standalone DNS installerMartin Babinsky2015-12-041-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Update ipa-(cs)replica-manage man pagesPetr Vobornik2015-12-042-9/+21
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* man: Update the ipa-replica-install manpage with promotion related infoTomas Babej2015-12-041-12/+57
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* rename topology suffixes to "domain" and "ca"Petr Vobornik2015-12-043-6/+6
| | | | | | | https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Sync kerberos LDAP schema with upstream.Simo Sorce2015-12-031-2/+12
| | | | | | | | | | All the new attributes are unused for now, but this allows us to keep tailing upstream in case of other useful changes later on. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2086 Reviewed-By: Martin Basti <mbasti@redhat.com>
* implement domain level 1 specific topology checks into IPA server uninstallerMartin Babinsky2015-12-021-0/+3
| | | | | | | | | | | | | When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* extract domain level 1 topology-checking code from ipa-replica-manageMartin Babinsky2015-12-021-97/+11
| | | | | | | | | | This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* translations: Update ipa.pot fileTomas Babej2015-12-021-2903/+3592
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fixed small typo in stage-user documentationAbhijeet Kasurde2015-12-023-3/+3
| | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* fix 'iparepltopomanagedsuffix' attribute consumersMartin Babinsky2015-12-012-8/+4
| | | | | | | | | Commit 46ae52569a179f73b1445922f7bac993d598c953 reimplemented reporting of managed topology suffixes in server-find/show commands using membership attributes. This patch fixes consumers of this attribute in ipa-replica-manage command and webui to reflect this change. Reviewed-By: Martin Basti <mbasti@redhat.com>
* change suffices to suffixesPetr Vobornik2015-12-013-39/+39
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-ca-install: error when replica file is passed with domain level > 0Martin Basti2015-11-271-0/+3
| | | | | | | | | | | with replica promotion (domain level > 0) there are no replica files, thus adding replica file as parameter when domain level > 0 should be disallowed. https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: treat server suffix as multivalued attribute in APIPetr Vobornik2015-11-271-1/+1
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: update topology graph after raising domain levelPetr Vobornik2015-11-272-8/+32
| | | | | | | | | | | | When topology graph was shown with domain level == 0, a view describing that domain level needs to be at least 1 was shown. If domain level is raised, this view is then properly replaced by the graph when shown again. https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: remove segments on topology graph pagePetr Vobornik2015-11-271-2/+81
| | | | | | https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: add segments on topology graph pagePetr Vobornik2015-11-272-4/+151
| | | | | | https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: topology graph facetPetr Vobornik2015-11-275-3/+366
| | | | | | https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: topology graph componentPetr Vobornik2015-11-274-3/+428
| | | | | | https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: add d3 library - version 3.5.6Petr Vobornik2015-11-274-0/+41
| | | | | | prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: allow to update action_state directlyPetr Vobornik2015-11-271-2/+9
| | | | | | prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: extract header and action logic from facet to separate mixinsPetr Vobornik2015-11-274-0/+321
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Into: * ActionMixin * HeaderMixin It is supposed to be used as a mixin classes to facet.Facets. In long term it should replace/serve as a base class for facet.facet. e.g: var SomeFacet = declare([Facet, ActionMixin, HeaderMixin], { foo: function() {} }); Then following spec can be used: some_facet_spec = { name: 'some', label: 'Some Facet', tab_label: 'Some Facet', facet_groups: [foo.bar_facet_group], facet_group: 'search', actions: ['refresh'], control_buttons: [ { name: 'refresh', label: '@i18n:buttons.refresh', icon: 'fa-refresh' } ], header_actions: [refresh] }; reg.facet.register({ type: 'some', ctor: SomeFacet, spec: some_facet_spec }); prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: split facet header into two classesPetr Vobornik2015-11-272-79/+144
| | | | | | | | | So that facet.simple_facet_header could be used even in pages without entity structure - e.g. future topology graph. prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: add Deferred/Promise API to rpc.commandPetr Vobornik2015-11-271-1/+20
| | | | | | | | so that commands could be easily chained prerequisite for: https://fedorahosted.org/freeipa/ticket/4286 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5Christian Heimes2015-11-261-0/+1
| | | | | | | | | | | | | | | | By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-254-22/+13
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add profiles and default CA ACL on migrationFraser Tweedale2015-11-243-12/+1
| | | | | | | | | | | | | | | | | | | | Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert renewal: make renewal of ipaCert atomicJan Cholasta2015-11-193-1/+23
| | | | | | | | | This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com>
* BUILD: provide check target in custom MakefilesLukas Slebodnik2015-11-181-0/+2
| | | | | | | | | The automake generated makefiles have already a target check. We need to provide this target also to non-generated Makefiles so we can recursively call make check from top level Makefile Reviewed-By: Martin Basti <mbasti@redhat.com>
* check for disconnected topology and deleted agreements for all sufficesMartin Babinsky2015-11-131-80/+165
| | | | | | | | | | The code in ipa-replica-manage which checks for disconnected topology and deleted agreements during node removal was generalized so that it now performs these checks for all suffixes to which the node belongs. https://fedorahosted.org/freeipa/ticket/5309 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Drop configure.jarMartin Basti2015-11-133-113/+3
| | | | | | | | | Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-replica-manage del continues when host does not exist in domain level 1Gabe2015-11-121-1/+7
| | | | | | | | - Raises error and stops operation unless --cleanup is specified. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com>
* custodia: ipa-upgrade failed on replicaGabe2015-11-051-0/+1
| | | | | | | | - Add 73-custodia.update to install/updates/Makefile.am https://fedorahosted.org/freeipa/ticket/5374 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Incomplete ports for IPA AD TrustGabe2015-11-052-0/+29
| | | | | | | | | - Add subsection to ipa-adtrust-install man page - Update port information in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/5414 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* fix broken translations after last po updatePetr Vobornik2015-11-024-10/+9
| | | | | Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update .po filesPetr Vobornik2015-11-0218-172/+3499
| | | | | | https://fedorahosted.org/freeipa/ticket/5427 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-csreplica-manage: disable connect/disconnect/del with domain level > 0Martin Basti2015-11-022-8/+31
| | | | | | | | | | * ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa topologysegment-*' commands * ipa-csreplica-manage del - a user should use ipa-replica-manage del https://fedorahosted.org/freeipa/ticket/5405 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove 50-lockout-policy.update fileGabe2015-10-302-5/+0
| | | | | | | | | | | | Remove lockout policy update file because all currently supported versions have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more scrict policy in environments subject to regulatory compliance https://fedorahosted.org/freeipa/ticket/5418 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Check early if a CA is already installed locallySimo Sorce2015-10-271-0/+3
| | | | | | | | | | There is no reason to proceed if a CA is already installed, and the check does not involve a lot of setup, so do it early on. Ticket: https://fedorahosted.org/freeipa/ticket/5397 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 05:27:19 +0000