summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* ipaserver.install.service: Fix estimated time displayPetr Viktorin2014-03-131-13/+17
| | | | | | | | | | Use basic math rather than timezone conversion to get minutes and seconds. Break out the message generation into a small tested function. https://fedorahosted.org/freeipa/ticket/4242 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaserver/dcerpc: make sure to always return unicode SID of the trust domainAlexander Bokovoy2014-03-121-1/+1
| | | | | | | | | | Trusted domain SID could be obtained through different means. When it is fetched from the AD DC via LDAP, it needs to be extracted from a default context and explicitly converted to unicode. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support OTP in form based authPetr Vobornik2014-03-121-6/+32
| | | | | | | | OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-112-7/+21
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* adtrustinstance: make sure to stop and disable winbind in uninstall()Alexander Bokovoy2014-02-281-2/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver/dcerpc: catch the case of insuffient permissions when establishing ↵Alexander Bokovoy2014-02-271-2/+5
| | | | | | | | | | | | | | trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Remove usage of deprecated LDAP APITomas Babej2014-02-271-2/+2
| | | | | | | | | Remove a reference to the old deprecated LDAP API invoked by the usage of trust_add method. https://fedorahosted.org/freeipa/ticket/4204 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* bindinstance: make sure zone manager is initialized in add_master_dns_recordsAlexander Bokovoy2014-02-261-0/+1
| | | | | | | | | Bind instance is configured using a short-circuited way when replica is set up. Make sure required properties are in place for that. https://fedorahosted.org/freeipa/ticket/4186 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Always use real entry DNs for memberOf in ldap2.Jan Cholasta2014-02-241-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-211-0/+4
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa tool: Print the name of the server we are connecting to with -vPetr Viktorin2014-02-051-0/+5
| | | | | | | | | | | | | The logging level for these messages was decreaed so that they do not show up in ipa-advise output. Reset the log level to INFO and configure ipa-advise to not display INFO messages from xmlclient by default. Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be https://fedorahosted.org/freeipa/ticket/4135 Reviewed-By: Tomáš Babej <tbabej@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-13/+0
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-9/+9
|
* Convert remaining update code to LDAPEntry API.Jan Cholasta2014-01-248-28/+25
|
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-243-21/+22
|
* Implement XML introspectionPetr Viktorin2014-01-141-6/+51
| | | | https://fedorahosted.org/freeipa/ticket/2937
* rpcserver: Consolidate __call__ in xmlclient and jsonclient_kerbPetr Viktorin2013-12-101-54/+34
| | | | | | | | | The two classes had very similar __call__ methods, but the JSON server lacked error handling. Create a common class for the __call__ method. https://fedorahosted.org/freeipa/ticket/4069
* httpd should destroy all CCACHEsMartin Kosek2014-01-221-1/+1
| | | | | | | | Use "kdestroy -A" command to destroy all CCACHEs, both the primary and the non-primary ones to make sure that the non-primary ones are not used later. https://fedorahosted.org/freeipa/ticket/4084
* Switch httpd to use default CCACHEMartin Kosek2014-01-221-19/+3
| | | | | | | | | | | | | Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
* ipa-adtrust-install: configure host netbios name by defaultAlexander Bokovoy2014-01-201-0/+3
| | | | | | Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
* Treat error during write to /etc/resolv.conf as non-fatal.Petr Spacek2014-01-161-5/+8
| | | | https://fedorahosted.org/freeipa/ticket/4110
* Do not start the service in stopped_service if it was not running before.Jan Cholasta2014-01-151-3/+0
| | | | This fixes a possible NSS database corruption in renew_ca_cert.
* ipaserver/install/installutils: clean up properly after yieldAlexander Bokovoy2014-01-151-11/+14
| | | | | When a context to which we yield generates exception, the code in private_ccache() and stopped_service() didn't get called for cleanup.
* Enable Retro Changelog and Content Synchronization DS pluginsAna Krivokapic2014-01-141-0/+13
| | | | | | | | | Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
* Use raw LDAP data in ldapupdate.Jan Cholasta2014-01-101-23/+7
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Store old entry state in dict rather than LDAPEntry.Jan Cholasta2014-01-101-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Remove legacy LDAPEntry properties data and orig_data.Jan Cholasta2014-01-102-8/+4
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Add LDAPEntry method generate_modlist.Jan Cholasta2014-01-102-2/+2
| | | | | | | Use LDAPEntry.generate_modlist instead of LDAPClient._generate_modlist and remove LDAPClient._generate_modlist. https://fedorahosted.org/freeipa/ticket/3488
* Reduce amount of LDAPEntry.reset_modlist calls in ldapupdate.Jan Cholasta2014-01-101-8/+4
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Use LDAPClient.update_entry for LDAP mods in ldapupdate.Jan Cholasta2014-01-101-2/+2
| | | | | | Remove legacy IPAdmin methods generateModList and updateEntry. https://fedorahosted.org/freeipa/ticket/3488
* Rename LDAPEntry method commit to reset_modlist.Jan Cholasta2014-01-101-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3488
* PKI service restart after CA renewal failedJan Cholasta2014-01-081-2/+2
| | | | | | | | | | Fix both the service restart procedure and registration of old pki-cad well known service name. This patch was adapted from original patch of Jan Cholasta 178 to fix ticket 4092. https://fedorahosted.org/freeipa/ticket/4092
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+0
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Convert remaining backend code to LDAPEntry API.Jan Cholasta2013-12-163-24/+21
|
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-091-0/+10
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-14/+28
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Remove unused method get_api of the ldap2 plugin.Jan Cholasta2013-11-271-3/+0
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Refactor indirect membership processing.Jan Cholasta2013-11-271-182/+67
| | | | | | A single LDAP search is now used instead of one search per member. https://fedorahosted.org/freeipa/ticket/3971
* Support searches with paged results control in LDAPClient.Jan Cholasta2013-11-271-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Move IPA specific code from LDAPClient to the ldap2 plugin.Jan Cholasta2013-11-271-0/+204
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Add server/protocol type to rpcserver logsPetr Viktorin2013-11-261-4/+17
| | | | | | Add the server class name, such as [xmlserver] or [jsonserver_kerb] to the server logs. This will allow easier debugging of problems specific to a protocol or server class.
* Make jsonserver_kerb start a cookie-based sessionPetr Viktorin2013-11-261-1/+10
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3299
* Switch client to JSON-RPCPetr Viktorin2013-11-262-104/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* trusts: Always stop and disable smb service on uninstallTomas Babej2013-11-261-8/+7
| | | | https://fedorahosted.org/freeipa/ticket/4042
* Remove mod_ssl port workaround.Jan Cholasta2013-11-261-9/+8
| | | | https://fedorahosted.org/freeipa/ticket/4021
* Add formerly update-only schemaPetr Viktorin2013-11-181-1/+3
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* Remove schema special-casing from the LDAP updaterPetr Viktorin2013-11-181-111/+4
| | | | | | | Now that there's a dedicated schema updater, we do not need the code in ldapupdate. https://fedorahosted.org/freeipa/ticket/3454
* Add schema updater based on IPA schema filesPetr Viktorin2013-11-183-5/+174
| | | | | | | | | | | | The new updater is run as part of `ipa-ldap-updater --upgrade` and `ipa-ldap-updater --schema` (--schema is a new option). The --schema-file option to ipa-ldap-updater may be used (multiple times) to select a non-default set of schema files to update against. The updater adds an X-ORIGIN tag with the current IPA version to all elements it adds or modifies. https://fedorahosted.org/freeipa/ticket/3454
generated by cgit (git 2.34.1) at 2025-06-08 15:16:51 +0000