summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix replica install with CAMartin Basti2016-06-301-10/+0
| | | | | | | | The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* replica install: don't allow install against a newer serverJan Cholasta2016-06-301-2/+26
| | | | | | | | | If the version of the remote server is higher than the local version, don't allow installing a replica of it. https://fedorahosted.org/freeipa/ticket/5983 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* backup: use in-server API in ipa-backup and ipa-restoreJan Cholasta2016-06-302-2/+2
| | | | | | | | | Use in-server API so that the commands don't try to fetch API schema and fail. https://fedorahosted.org/freeipa/ticket/5995 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Add button for dns_update_system_records commandPavel Vomacka2016-06-291-0/+3
| | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/5905 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-292-1/+10
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add certificate widgetPavel Vomacka2016-06-291-0/+6
| | | | | | | | | | The certificate widget is used for each certificate in certs_widget. It allows to view, get, download, revoke and restore certificate. https://fedorahosted.org/freeipa/ticket/5108 https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add widget for showing multiple certificatesPavel Vomacka2016-06-291-0/+1
| | | | | | | | | | Certs widget is based on multivalued widget and adds ability to add new certificate and delete it. Each line is cert_widget. https://fedorahosted.org/freeipa/ticket/5108 https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Refactored certificate view and remove hold dialogPavel Vomacka2016-06-291-0/+1
| | | | | | | | | Removed old layout created using html tables. Now table layout is made by div and modern css styling. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: Remove unnecessary DNS check from installerPetr Spacek2016-06-291-9/+1
| | | | | | | | | | | | | | Previously we were checking content of DNS before actually adding DNS records for replicas. This is causing cycle in logic and adds weird corner cases to the installer which can blow up on DNS timeout or so. The check was completely unnecessary because the installer knows IP addresses and name of the machine. Removal of the check makes the installer more reliable. https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use NSS for name->resolution in IPA installerPetr Spacek2016-06-292-5/+42
| | | | | | | | | | | | This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* The LDAP*ReverseMember shouldn't imply --all is always specifiedStanislav Laznicka2016-06-291-2/+2
| | | | | | | | | | | The LDAP*ReverseMember methods would always return the whole LDAP object even though --all is not specified. Also had to fix some tests as objectClass will not be returned by default now. https://fedorahosted.org/freeipa/ticket/5892 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Revert "Removed dead code from LDAP{Remove,Add}ReverseMember"Stanislav Laznicka2016-06-291-0/+16
| | | | | | | | | While the code was really dead, it should serve a purpose elsewhere. This reverts commit c56d65b064e1e0410c03cf1206816cad4d8d86cc. https://fedorahosted.org/freeipa/ticket/5892 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-find: fix 'issuer' optionFraser Tweedale2016-06-291-0/+2
| | | | | | | | | | | | | The 'issuer' option of cert-find was recently changed from Str to DNParam, however, 'ra.find' expects a string and throws when it receives a DN. When constructing the dict that gets passed to 'ra.find', turn DNParams into strings. Part of: https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Update lightweight CA serial after renewalFraser Tweedale2016-06-291-18/+71
| | | | | | | | | | | | | | | For CA replicas to pick up renewed lightweight CA signing certificates, the authoritySerial attribute can be updated with the new serial number. Update the renew_ca_cert script, which is executed by Certmonger after writing a renewed CA certificate to the NSSDB, to update the authoritySerial attribute if the certificate belongs to a lightweight CA. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Skip CS.cfg update if cert nickname not knownFraser Tweedale2016-06-293-8/+9
| | | | | | | | | | | | After CA certificate renewal, the ``renew_ca_cert`` helper updates certificate data in CS.cfg. An unrecognised nickname will raise ``KeyError``. To allow the helper to be used for arbitrary certificates (e.g. lightweight CAs), do not fail if the nickname is unrecognised - just skip the update. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Set default OCSP URI on install and upgradeFraser Tweedale2016-06-282-0/+27
| | | | | | | | | | | | | | Dogtag has been updated to support a default OCSP URI when the profile includes AuthInfoAccess with URI method but does not specify the URI (instead of constructing one based on Dogtag's hostname and port). Add the pkispawn config to ensure that the OCSP URI is set before issuing CA and system certificates, and add the config to existing CA instances on upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/5956 Reviewed-By: Martin Basti <mbasti@redhat.com>
* CA replica promotion: add proper CA DNS recordsMartin Basti2016-06-282-6/+12
| | | | | | | | Update 'ipa-ca' records with A/AAAA records of the newly added replica https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS Locations: cleanup of bininstanceMartin Basti2016-06-285-54/+30
| | | | | | | | | | | | | | | | We don't need anymore: * sample of zone file - list of all records required by IPa will be provided * NTP related params - DNS records will be updated automatically, based on LDAP values * CA related params - DNS records will be updated automatically based * on LDAP values https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* schema: support plugin versioningJan Cholasta2016-06-281-51/+92
| | | | | | | | Update API schema server and client code to support plugin versioning. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* plugable: support plugin versioningJan Cholasta2016-06-282-1/+8
| | | | | | | | | | | | | | Allow multiple incompatible versions of a plugin using the same name. The current plugins are assumed to be version '1'. The unique identifier of plugins was changed from plugin name to plugin name and version. By default, the highest version available at build time is used. If the plugin is an unknown remote plugin, version of '1' is used by default. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* plugable: use plugin class as the key in API namespacesJan Cholasta2016-06-281-1/+1
| | | | | | | | | When iterating over APINameSpace objects, use plugin class rather than its name as the key. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* misc: generate `plugins` result directly in the commandJan Cholasta2016-06-281-1/+8
| | | | | | | | | Move the code that generated result of the `plugins` command from API to the command itself. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* automember: fix automember to work with thin clientJan Cholasta2016-06-271-22/+27
| | | | | | | | | | | Properly mark `cn` as primary key of `automember` object. This fixes automember crashing on output validation expecting primary key value of None. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* schema: do not crash in command_defaults if argument is NoneJan Cholasta2016-06-271-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* schema: fix param default value handlingJan Cholasta2016-06-271-10/+13
| | | | | | | | | | | | Advertise param's default value even when `autofill` is False. When `autofill` is False, set `alwaysask` to True in the schema, as it is semantically equivallent and removes redundancy. This fixes default value disappearing in CLI for some params. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* keep setting ipakrbprincipal objectclass on new service entriesMartin Babinsky2016-06-271-0/+9
| | | | | | | | | | | | | this is required for replica promotion to work, since the ACI allowing hosts to add their own services uses this objectclass as target filter. This partially reverts changes from commit 705f66f7490c64de1adc129221b31927616c485d https://fedorahosted.org/freeipa/ticket/5996 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: optimization: use server-find to get informationMartin Basti2016-06-271-6/+4
| | | | | | | | | | | Because separated calls for of server-show, getting server data is quite slow. This commit replaces several server-show with one server-find command. There are future plans to improve speed of server-find that will be beneficial for DNS locations. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS Locations: hide option --no-msdcs in adtrust-installMartin Basti2016-06-271-13/+8
| | | | | | | | | Since DNS location mechanism is active, this option has no effect, because records are generate dynamically. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Revert "DNS Locations: do not generate location records for unused locations"Martin Basti2016-06-271-7/+4
| | | | | | | | | | | | | This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. After deeper investigation, we found out that empty locations are needed for clients, because clients may have cached records for longer time for that particular location. Only way how to remove location is to remove it using location-del https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix IssuerDN presence check in cert search resultFraser Tweedale2016-06-271-1/+1
| | | | | | | | | | | When checking for presence of IssuerDN in certificate search result, we mistakenly check for the presence of the SubjectDN field, then unsafely index into the IssuerDN field. Check the presence of IssuerDN correctly. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix incorrect construction of service principal during replica cleanupMartin Babinsky2016-06-271-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: server-mod: fix if statementMartin Basti2016-06-271-1/+1
| | | | | | | | | Statement used for detection if objeclass change is needed was logically wrong, this fixes it. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* topo segment-add: validate that both masters support target suffixStanislav Laznicka2016-06-241-3/+24
| | | | | | | | | This patch removes the ability to add segment between hosts where either does not support the requested suffix. https://fedorahosted.org/freeipa/ticket/5967 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix topologysuffix-verify failing connectionsStanislav Laznicka2016-06-242-3/+5
| | | | | | | | | topologysuffix-verify would have checked connectivity even between hosts that are not managed by the given suffix. https://fedorahosted.org/freeipa/ticket/5967 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Server-del: fix system records removalMartin Basti2016-06-231-3/+3
| | | | | | | | | Services on replica to be removed must be deleted first, otherwise update of system records will not take this change into account https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* set krbcanonicalname on host entry during krbinstance configurationMartin Babinsky2016-06-231-0/+1
| | | | | | | part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entitiesMartin Babinsky2016-06-234-8/+9
| | | | | | | | | | | Hosts, services, and (stage)-users will now have krbcanonicalname attribute set to the same value as krbprincipalname on creation. Moreover, new services will not have ipakrbprincipalalias set anymore. Part of https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Report missing certificate in external trust chainFlorence Blanc-Renaud2016-06-231-2/+3
| | | | | | | | | | | | | When ipa-server-install is called with an external CA, but the cert chain is incomplete, the command exits with the following error: ERROR CA certificate chain in <list of --external-cert-file> is incomplete The fix adds in the log the name of the missing certificate: ERROR CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>' https://fedorahosted.org/freeipa/ticket/5792 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* host/service-show/find shouldn't fail on invalid certificateStanislav Laznicka2016-06-222-5/+60
| | | | | | | | | | | host/service-show/find methods would have failed if the first certificate they had in userCertificate attribute were invalid. Expected behavior is that they just show the rest of the reqested attributes. https://fedorahosted.org/freeipa/ticket/5797 Reviewed-By: Martin Basti <mbasti@redhat.com>
* server-del: harden check for last rolesMartin Babinsky2016-06-221-28/+34
| | | | | | | | | | | | | The current implementation of check for last CA/DNS server and DNSSec key master in `server-del` is quite fragile and wroks with quite a few assumptions which may not be always true (CA and DNS is always configured etc.). This patch hardens the check so that it does not break when the above assuptions do not hold. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Replica promotion: use the correct IPA domain for replicaMartin Basti2016-06-211-0/+29
| | | | | | | | | | | | | | | | | | IPA domain is detected from LDAP for replica promote installation. If local domain and IPA domain does not match, installer refuses to install replica. IPA versions 4.3.0 and 4.3.1 allow to specify different domain for replica. Only one IPA domain is allowed (domain used with master) and different domain may cause issues. This commit prevents to install new replica if multiple domains was used in past. User action is required to fix this issue and remove incorrect IPA domains from LDAP. https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* schema: return fingerprint as unicode textDavid Kupka2016-06-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Cache schema in api instanceDavid Kupka2016-06-211-3/+11
| | | | | | | | | To avoid generating schema for every schema command call store schema in api instance when first generated and reuse it in next calls. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Add known_fingerprints option to schema commandDavid Kupka2016-06-211-0/+13
| | | | | | | | | | When client requests schema it can list fingerprints of cached schemas and server responds with SchemaUpToDate exception specifying fingeprint of schema to use. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Add fingerprint and TTLDavid Kupka2016-06-211-0/+36
| | | | | | | | | | Calculate fingerprint for schema in deterministic way. Send fingerprint value together with schema. Send TTL with schema to inform client about caching interval. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add placeholder to add segment dialogPavel Vomacka2016-06-211-0/+1
| | | | | | | | 'Autogenerated' placeholder is shown when adding new segment. https://fedorahosted.org/freeipa/ticket/5867 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: Fix realm domains integration with DNS zone add.Petr Spacek2016-06-211-2/+1
| | | | | | | | | | | | Realmdomains integration into DNS commands pre-dates split of DNS forward zones and DNS master zones into two distinct commands. There was an forgotten condition in dnszone_add command which caused omission of DNS master zones with non-empty forwarders from realmdomain list. https://fedorahosted.org/freeipa/ticket/5980 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not update result of *-config-show with empty server attributesMartin Babinsky2016-06-211-3/+5
| | | | | | | | | | | | If a server attribute such as DNSSec Key master is unset, None is passed as the attribute value into the upper API layers and displayed in the output of `dnsconfig-show` et al. We should not show this and leave the attribute empty instead. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* dns: fix dns_update_system_records to work with thin clientJan Cholasta2016-06-211-8/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/2008 https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: Warn about restart when default TTL setting DNS is changedPetr Spacek2016-06-211-0/+13
| | | | | | | | | bind-dyndb-ldap 10.0 has to be restarted after each change to default TTL. https://fedorahosted.org/freeipa/ticket/2956 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-31 22:23:37 +0000