summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Using wget to get status of CAMartin Basti2014-12-101-4/+0
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* revert removal of cn attribute from idnsRecordPetr Vobornik2014-12-091-1/+1
| | | | | | | | | The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes. https://fedorahosted.org/freeipa/ticket/4794 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-1/+1
| | | | | | | | | | | Always use the full CSR when renewing the IPA CA certificate with Dogtag. The IPA CA certificate may be issued by an external CA, in which case renewal by serial number does not make sense and will fail if the IPA CA was initially installed as a subordinate of an external CA. https://fedorahosted.org/freeipa/ticket/4784 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agentJan Cholasta2014-12-091-0/+2
| | | | | | | | | Reset profile name after requesting the CA cert from Dogtag to prevent the automatic renewal request from being restarted in subsequent calls. https://fedorahosted.org/freeipa/ticket/4765 Reviewed-By: David Kupka <dkupka@redhat.com>
* Upgrade fix: masking named should be executed only onceMartin Basti2014-12-091-14/+16
| | | | | | | | | There was error in code, masking was executed more times, even it was succesful https://fedorahosted.org/freeipa/ticket/4755 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: increase duration of notification messagesPetr Vobornik2014-12-091-1/+1
| | | | | | | | by 66% https://fedorahosted.org/freeipa/ticket/4792 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: fix service unprovisioningPetr Vobornik2014-12-091-1/+1
| | | | | | | | Missed part of field refactoring caused that service could not be unprovisioned. https://fedorahosted.org/freeipa/ticket/4770 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Prefer TCP connections to UDP in krb5 clientsNathaniel McCallum2014-12-082-0/+2
| | | | | | | | | | | | | | In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* hosts: Display assigned ID view by default in host-find and show commandsTomas Babej2014-12-051-1/+0
| | | | | | | | | | Makes ipaassignedidview a default attribute and takes care about the conversion from the DN to the proper ID view name. https://fedorahosted.org/freeipa/ticket/4774 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-052-0/+14
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix indentation in ipa-restore pagePetr Vobornik2014-12-021-2/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-managed-entries requires password with bad passwordGabe2014-11-261-1/+4
| | | | | | | | - Add try/except when trying -p option to catch bad password https://fedorahosted.org/freeipa/ticket/4089 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-267-13/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: add radius fields to user pagePetr Vobornik2014-11-251-0/+11
| | | | | | | | add --radius=ID --radius-username=radiusUserName to Web UI https://fedorahosted.org/freeipa/ticket/4686 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add TLS 1.2 to the protocol list in mod_nss configJan Cholasta2014-11-251-0/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* copy_schema_to_ca: Fallback to old import location for ipaplatform.servicesPetr Viktorin2014-11-251-1/+5
| | | | | | | | | | This file is copied to older servers that might not have the ipaplatform refactoring. Import from the old location if the new one is not available. https://fedorahosted.org/freeipa/ticket/4763 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: normalize idview tab labelsPetr Vobornik2014-11-241-3/+3
| | | | | | | | ID View tab labels are no longer redundant. https://fedorahosted.org/freeipa/ticket/4650 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: use domain name instead of domain SID in idrange adder dialogPetr Vobornik2014-11-241-9/+7
| | | | | | | | It's more user friendly. Almost nobody remembers SIDs. https://fedorahosted.org/freeipa/ticket/4661 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: fix potential XSS vulnerabilitiesPetr Vobornik2014-11-205-10/+13
| | | | | | | | | | | Escape user defined text to prevent XSS attacks. Extra precaution was taken to escape also parts which are unlikely to contain user-defined text. fixes CVE-2014-7850 https://fedorahosted.org/freeipa/ticket/4742 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Show warning instead of error if CA did not startMartin Basti2014-11-201-0/+4
| | | | | | | | This is just workaround, checking if CA is working raises false positive exception during upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix wrong expiration date on renewed IPA CA certificatesJan Cholasta2014-11-191-0/+2
| | | | | | | | | The expiration date was always set to the expiration date of the original certificate. https://fedorahosted.org/freeipa/ticket/4717 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-181-0/+14
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add help string on how to configure multiple DNS forwards for various cli toolsThorsten Scherf2014-11-143-3/+3
| | | | | | | | | | | | | | The man pages for various FreeIPA setup tools are more descriptive on how to configure multiple DNS forwarders than the corresponding cli help. This patch makes the cli help more verbose now for the following tools: * ipa-dns-install * ipa-replica-install * ipa-server-install https://fedorahosted.org/freeipa/ticket/4465 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade: fix trusts objectclass violationiMartin Basti2014-11-133-6/+9
| | | | | | | | Execute updates in proper ordering. Curently ldap-updater implementation doesnt allow better fix. Ticket: https://fedorahosted.org/freeipa/ticket/4680 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix upgrade referint pluginMartin Basti2014-11-131-12/+1
| | | | | | | | Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 Reviewed-By: David Kupka <dkupka@redhat.com>
* Search using proper scope when connecting CA instancesRob Crittenden2014-11-131-1/+1
| | | | | | | | | | The wrong search scope was being used when trying to determine if a given master had a CA installed when trying to create a new connection. https://fedorahosted.org/freeipa/ticket/4704 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix: DNS installer adds invalid zonemgr emailMartin Basti2014-11-131-1/+1
| | | | | | | | Installer adds zonemgr as relative (and invalid) address. This fix force installer to use absolute email. Ticket: https://fedorahosted.org/freeipa/ticket/4707 Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: prohibit setting rid base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-17/+60
| | | | | | | | | | | | | | Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-server-install Directory Manager help incorrectGabe2014-11-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4694 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Stop dirsrv last in ipactl stop.David Kupka2014-11-061-6/+6
| | | | | | | | Other services may depend on directory server. https://fedorahosted.org/freeipa/ticket/4632 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Deadlock in schema compat plugin (between automember_update_membership task ↵Thierry bordaz (tbordaz)2014-11-061-10/+20
| | | | | | | | | | | | | | | and dse update) Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks. Schema plugin needs to scope the $SUFFIX and also any updates to its configuration. This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees that would be too long for cn=config (tasks, mapping tree, replication, snmp..) https://fedorahosted.org/freeipa/ticket/4635 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manageJan Cholasta2014-11-051-23/+17
| | | | | | | | | This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fixed KRA backend.Endi S. Dewata2014-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-042-16/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdateJan Cholasta2014-10-301-38/+49
| | | | | | | | | If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
* Handle profile changes in dogtag-ipa-ca-renew-agentJan Cholasta2014-10-291-7/+80
| | | | | | | | | | | | | | | | | | | To update the CA certificate in the Dogtag NSS database, the "ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one. When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request. Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed. https://fedorahosted.org/freeipa/ticket/4627 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not check if port 8443 is available in step 2 of external CA installJan Cholasta2014-10-222-5/+7
| | | | | | | | | The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: upgradingMartin Basti2014-10-211-0/+67
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: uninstallationMartin Basti2014-10-212-0/+37
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: installationMartin Basti2014-10-213-9/+69
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-214-3/+39
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: opendnssec servicesMartin Basti2014-10-213-0/+198
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-215-1/+37
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: schemaMartin Basti2014-10-214-4/+61
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: update combobox input on list clickPetr Vobornik2014-10-211-3/+7
| | | | | | | | Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated. https://fedorahosted.org/freeipa/ticket/4655 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: do not show closed dialogPetr Vobornik2014-10-211-0/+18
| | | | | | | | | | | | | | Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed. New dialog's property `opened` handles whether dialog is intended to be opened. How to test: Add new host with IP address outside of managed reverse zones to get error 4304. https://fedorahosted.org/freeipa/ticket/4656 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Change ipaOverrideTarget OID to avoid conflict with DNSSEC featureAlexander Bokovoy2014-10-211-1/+1
|
* Remove ipaContainer, ipaOrderedContainer objectclassMartin Basti2014-10-202-74/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4646 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-203-0/+20
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: do not offer ipa users to Default Trust ViewPetr Vobornik2014-10-204-4/+61
| | | | | | https://fedorahosted.org/freeipa/ticket/4616 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 09:46:50 +0000