| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4926
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To avoid cyclic imports realm_to_serverid function had to be moved to
installutils from dsinstance.
Required for: https://fedorahosted.org/freeipa/ticket/4925
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4575
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify version and platform before upgrade or ipactl start|restart
Upgrade:
* do not allow upgrade on different platforms
* do not allow upgrade data with higher version than build has
Start:
* do not start services if platform mismatch
* do not start services if upgrade is needed
* do not start services if data with higher version than build has
New ipactl options:
--skip-version-check: do not validate IPA version
--ignore-service-failures (was --force): ignore if a service start fail
and continue with starting other services
--force: combine --skip-version-check and --ignore-service-failures
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.
New implementation reduces the search only to entries which have members.
Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.
https://fedorahosted.org/freeipa/ticket/4947
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In the wiki we say it's not longer necessary to make the IPA LDAP server not
reachable by any AD domain controller. To be consistence, the setup tool
should reflext this statement.
https://fedorahosted.org/freeipa/ticket/4977
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add 'plugin' directive
* specify plugins order in update files
* remove 'run plugins' options
* use ldapupdater API instance in plugins
* add update files representing former PreUpdate and PostUpdate order of plugins
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Use only ldapi connection to execute upgrade
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Obtaining member information for entity selects is not needed and it
causes unwanted performance hit, especially with larger groups.
This patch removes it.
https://fedorahosted.org/freeipa/ticket/4948
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
| |
Fix: If editable combobox has one value, the value is selected and changed by hand, it can't be re-selected by enter key.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a accounts plugin (accounts class) that defines
variables and methods common to 'users' and 'stageuser'.
accounts is a superclass of users/stageuser
Add the stageuser plugin, with support of stageuser-add verb.
Reviewed By: David Kupka, Martin Basti, Jan Cholasta
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
IPA 1.0.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As --test option is not used for developing, and it is not recommended
to test if upgrade will pass, this path removes it copmletely.
https://fedorahosted.org/freeipa/ticket/3448
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.
Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.
This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4944
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
| |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
are updated at the same time.
Schema-compat should ignore update on DNA config.
https://fedorahosted.org/freeipa/ticket/4927
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid
* remove unneded update plugins -> update was moved to .update file
* add uniqueness-across-all-subtrees required by user lifecycle
management
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
New configuration style contains options required for user lifecycle
management.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4877
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
Allow to configure missing krb ticket flag - ipakrbrequirespreauth from Web UI.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:
- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c
Remove GPL v2.0 license files from LDIFs or template to keep
consistency.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
dnskeysyncisntance - requires a stored state to be uninstalled
bindinstance - uninstal service only if bind was configured by IPA
Ticket:https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.
https://fedorahosted.org/freeipa/ticket/4720
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to https://fedorahosted.org/freeipa/ticket/4487.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This prevents schema replication conflicts which cause replication failures
with older versions of IPA. Details in
https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7
This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137.
https://fedorahosted.org/freeipa/ticket/4833
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replication agreement deletion requires read access to DNA range
setting. The read access was accidently removed during PermissionV2
refactoring.
Add the read ACI back as a special SYSTEM permission.
https://fedorahosted.org/freeipa/ticket/4848
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.
To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.
https://fedorahosted.org/freeipa/ticket/4836
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix restore mode checks. Do some of the existing checks earlier to make them
effective. Check if --instance and --backend exist both in the filesystem and
in the backup.
Log backup type and restore mode before performing restore.
Update ipa-restore man page.
https://fedorahosted.org/freeipa/ticket/4797
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Synchronization is achieved using a global renewal lock.
https://fedorahosted.org/freeipa/ticket/4803
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4803
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4820
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.
Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is not necessary to remove the ccache on upgrades on modern IPA
servers, even if the ccache contains stale data either it is re-initialized by
mod_auth_kerb or a new ccache collection is created (if completely unrelated
credentials were present), at least when using DIR or keyring ccaches.
This line causes wrong SELinux labels to be set in the kernel keyring on
uprades, which the cause the apache server to fail to use th ccache.
https://fedorahosted.org/freeipa/ticket/4815
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
This is just workaround
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes.
https://fedorahosted.org/freeipa/ticket/4794
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.
https://fedorahosted.org/freeipa/ticket/4784
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.
https://fedorahosted.org/freeipa/ticket/4765
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
There was error in code, masking was executed more times, even it was
succesful
https://fedorahosted.org/freeipa/ticket/4755
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
by 66%
https://fedorahosted.org/freeipa/ticket/4792
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Missed part of field refactoring caused that service could not be unprovisioned.
https://fedorahosted.org/freeipa/ticket/4770
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general, TCP is a better fit for FreeIPA due to large packet sizes.
However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.
https://fedorahosted.org/freeipa/ticket/4725
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.
https://fedorahosted.org/freeipa/ticket/4774
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
