summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
...
* Add permissions for certificate store.Jan Cholasta2014-07-302-0/+76
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add LDAP schema for certificate store.Jan Cholasta2014-07-301-0/+1
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-304-14/+26
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.Jan Cholasta2014-07-301-4/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not treat the IPA RA cert as CA cert in DS NSS database.Jan Cholasta2014-07-301-1/+1
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow IPA master hosts to read and update IPA master information.Jan Cholasta2014-07-301-0/+38
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not use ldapi in certificate renewal scripts.Jan Cholasta2014-07-301-8/+13
| | | | | | This prevents SELinux denials when accessing the ldapi socket. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Remove master ACIs when deleting a replica.Jan Cholasta2014-07-301-0/+43
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Load sysupgrade.state on demand.Jan Cholasta2014-07-301-1/+9
| | | | | | | This prevents SELinux denials when the sysupgrade module is imported in a confined process. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add CA certificate management tool ipa-cacert-manage.Jan Cholasta2014-07-301-0/+285
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for verifying CA certificates to NSSDatabase.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move external cert validation from ipa-server-install to installutils.Jan Cholasta2014-07-301-1/+49
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for setting CA renewal master in LDAP to CAInstance.Jan Cholasta2014-07-301-3/+38
| | | | | | Allow checking and setting CA renewal master for non-local CA instances. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Track CA certificate using dogtag-ipa-ca-renew-agent.Jan Cholasta2014-07-301-7/+13
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix DNS upgrade plugin should check if DNS container existsMartin Basti2014-07-281-0/+4
| | | | | | | Fortunately this cause no error, because dnszone-find doesnt raise exception if there is no DNS container Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Always record that pkicreate has been executed.David Kupka2014-07-221-3/+10
| | | | | | | | | Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix login password expiration detection with OTPNathaniel McCallum2014-07-211-31/+9
| | | | | | | | | | | | | | | | | | | | | The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable debug pid in smb.confGabe2014-07-181-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3485 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ldap2 indirect membership processing: Use global limits if greater than ↵Petr Viktorin2014-07-141-6/+29
| | | | | | | | | | | | | | | | per-query ones Calling an ipa *-find command with --sizelimit=1 on an entry with more members would result in a LimitsExceeded error as the search for members was limited to 1 entry. For the memberof searches, only apply the global limit if it's larger than the requested one, so decreasing limits on the individual query only affects the query itself. https://fedorahosted.org/freeipa/ticket/4398 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldapupdate: Restore 'replace' functionalityPetr Viktorin2014-07-041-0/+8
| | | | | | | The replace directive was made a no-op by mistake in commit 6381d76. Restore it. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Restore privileges after forward zones updateMartin Basti2014-07-041-1/+42
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-ldap-updater: make possible to use LDAPI with autobind in case of ↵Alexander Bokovoy2014-07-041-1/+2
| | | | | | | | | | | | | | | | | hardened LDAP configuration When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix upgrade to forward zonesMartin Basti2014-07-031-1/+1
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow to add non string values to named confMartin Basti2014-07-021-6/+24
| | | | | | | | | Non string values should not start and end with '"' in options section in named.conf Required by ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etcPetr Viktorin2014-07-021-2/+7
| | | | | | | | | | | On systems installed before #3394 was fixed and nsDS5ReplicaId became single-valued, there are two replica ID values stored in cn=replication: the default (3) and the actual value we want. Instead of failing when multiple values are found, use the largest one. https://fedorahosted.org/freeipa/ticket/4375 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Upgrade special master zones to forward zonesMartin Basti2014-06-271-2/+177
| | | | | | | | | | | This upgrade is executed only if IPA version is older than 4.0 Requires detection if 'idnsforwardzone' objectclass is presented in schema before schema is upgraded Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Added upgrade step executed before schmema is upgradedMartin Basti2014-06-275-8/+54
| | | | | | | | Class PreSchemaUpdate is executed before ldap schema update This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add /session/token_sync POST supportNathaniel McCallum2014-06-263-8/+119
| | | | | | | | | | | | | | | | | This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* rpcserver: fix local vs utc time comparisonPetr Vobornik2014-06-261-1/+1
| | | | | | | | | | login_password did not work properly in timezones other than +0h because local time was compared with utc time. Bug introduced in: https://fedorahosted.org/freeipa/ticket/4339 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* rpcserver: add otp support to change_password handlerPetr Vobornik2014-06-261-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4262 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* ldap2: add otp support to modify_passwordPetr Vobornik2014-06-261-3/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4262 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-261-1/+1
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Implement OTP token importingNathaniel McCallum2014-06-251-0/+530
| | | | | | | | | | | | | | | | | | | | This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove GetEffectiveRights control when ldap2.get_effective_rights fails.Jan Cholasta2014-06-241-3/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Join --type objectclass filters with ORPetr Viktorin2014-06-231-2/+3
| | | | | | | | | | | | For groups, we will need to filter on either posixgroup (which UPGs have but non-posix groups don't) and groupofnames/nestedgroup (which normal groups have but UPGs don't). Join permission_filter_objectclasses with `|` and add them as a single ipapermtargetfilter value. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add $REALM to variables supported by the managed permission updaterPetr Viktorin2014-06-181-0/+1
| | | | | | | | This will allow converting password policy permissions Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the update_dns_permissions pluginPetr Viktorin2014-06-181-56/+0
| | | | | | | | | This plugin created permissions that the managed permission updater would remove right away. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed permission updater: Add mechanism to replace SYSTEM permissionsPetr Viktorin2014-06-181-0/+18
| | | | | | | | | | | | | | The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-1625-330/+344
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-1611-16/+5
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-169-30/+39
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-165-6/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make 'permission' the default bind type for managed permissionsPetr Viktorin2014-06-111-1/+1
| | | | | | | | | | | This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add method to enumerate managed permission templatesPetr Viktorin2014-06-111-15/+30
| | | | | | This will ease writing audit and management scripts for managed permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed perm updater: Handle case where we changed default ACIs in the pastPetr Viktorin2014-06-101-2/+18
| | | | | | | | | | | This handles the case where IPA's default ACIs changed in something else than just attribute lists. In this case we can narrow the set of ACIs we think the user might be upgrading from. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for updating permissions to managedPetr Viktorin2014-06-041-8/+135
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Modified dns related global functionsMartin Basti2014-06-031-2/+2
| | | | | | | | | | | * Modified functions to use DNSName type * Removed unused functions Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa recursively adds old backupsGabe2014-05-301-0/+1
| | | | | | | | - Added exclude for the ipa backup folder to the files tar https://fedorahosted.org/freeipa/ticket/4331 Reviewed-By: Martin Kosek <mkosek@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 20:18:22 +0000