summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Stop saving the master key in a stash fileSimo Sorce2014-12-111-26/+0
| | | | | | | | This hasn't been used for a number of releases now, as ipa-kdb directly fetches the key via LDAP. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Refer the user to freeipa.org when something goes wrong in ipa-cacert-manageJan Cholasta2014-12-101-5/+18
| | | | | | | https://fedorahosted.org/freeipa/ticket/4781 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Check subject name encoding in ipa-cacert-manage renewJan Cholasta2014-12-101-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4781 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove usage of app_PYTHON in ipaserver MakefilesGabe2014-12-102-51/+0
| | | | | | | | - Remove ChangeLog from ipa-client/Makefile.am https://fedorahosted.org/freeipa/ticket/4700 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve validation of --instance and --backend options in ipa-restoreJan Cholasta2014-12-092-30/+45
| | | | | | https://fedorahosted.org/freeipa/ticket/4744 Reviewed-By: David Kupka <dkupka@redhat.com>
* certs: Fix incorrect flag handling in load_cacertTomas Babej2014-12-022-5/+3
| | | | | | | | | | | | | For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make it a required argument. https://fedorahosted.org/freeipa/ticket/4779 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Update default NTP configurationGabe2014-12-021-1/+2
| | | | | | | | | - Add in missing 4th default ntp server - Add iburst to configuration https://fedorahosted.org/freeipa/ticket/4583 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-261-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix zonemgr option encoding detectionMartin Basti2014-11-251-1/+4
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4766 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add TLS 1.2 to the protocol list in mod_nss configJan Cholasta2014-11-251-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* AD trust: improve trust validationAlexander Bokovoy2014-11-251-3/+16
| | | | | | | | | | | | | | | Trust validation requires AD DC to contact IPA server to verify that trust account actually works. It can fail due to DNS or firewall issue or if AD DC was able to resolve IPA master(s) via SRV records, it still may contact a replica that has no trust data replicated yet. In case AD DC still returns 'access denied', wait 5 seconds and try validation again. Repeat validation until we hit a limit of 10 attempts, at which point raise exception telling what's happening. https://fedorahosted.org/freeipa/ticket/4764 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix detection of encoding in zonemgr optionMartin Basti2014-11-241-7/+8
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4762 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Stop tracking certificates before restoring them in ipa-restoreJan Cholasta2014-11-211-2/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4727 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-restore: Check if directory is provided + better errors.David Kupka2014-11-211-4/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4683 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use correct service name in cainstance.backup_configJan Cholasta2014-11-211-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4754 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* dogtag plugin: Don't use doctest syntax for non-doctest examplesPetr Viktorin2014-11-211-8/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4610 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix: read_ip_addresses should return ipaddr objectMartin Basti2014-11-211-1/+1
| | | | | | | | Interactive prompt callback returns list of str instead of CheckedIPAddress instances. Ticket: https://fedorahosted.org/freeipa/ticket/4747 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* restore: clear httpd ccache after restorePetr Vobornik2014-11-201-0/+2
| | | | | | | | | | so that httpd ccache won't contain old credentials which would make ipa CLI fail with error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) https://fedorahosted.org/freeipa/ticket/4726 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Restore file extended attributes and SELinux context in ipa-restoreJan Cholasta2014-11-201-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4712 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-191-1/+1
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix: zonemgr must be unicode valueMartin Basti2014-11-191-0/+2
| | | | | | | | To support IDNA --zonemgr option must be unicode not ascii https://fedorahosted.org/freeipa/ticket/4724 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-181-6/+30
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix upgrade referint pluginMartin Basti2014-11-132-0/+91
| | | | | | | | Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix: DNS policy upgrade raises asertion errorMartin Basti2014-11-131-1/+3
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4708 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix: DNS installer adds invalid zonemgr emailMartin Basti2014-11-131-1/+1
| | | | | | | | Installer adds zonemgr as relative (and invalid) address. This fix force installer to use absolute email. Ticket: https://fedorahosted.org/freeipa/ticket/4707 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix CA certificate backup and restoreJan Cholasta2014-11-112-1/+36
| | | | | | | | | | Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit. Create /etc/ipa/nssdb after restore if necessary. https://fedorahosted.org/freeipa/ticket/4711 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldapupdater: set baserid to 0 for ipa-ad-trust-posix rangesPetr Vobornik2014-11-111-1/+68
| | | | | | | | New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-restore: Don't crash if AD trust is not installedPetr Viktorin2014-11-111-2/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/4668 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix upgrade: do not use invalid ldap connectionMartin Basti2014-11-062-0/+9
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4670 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manageJan Cholasta2014-11-051-1/+2
| | | | | | | | | This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-053-44/+2
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fixed KRA backend.Endi S. Dewata2014-11-044-116/+96
| | | | | | | | | | | | | | | | | | | | | | | | | | | The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-045-17/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* fix forwarder validation errorsMartin Basti2014-10-211-2/+4
| | | | | | Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Default to use TLSv1.0 and TLSv1.1 on the IPA server sideAlexander Bokovoy2014-10-211-0/+4
| | | | | | | | We only will be changing the setting on the install. For modifying existing configurations please follow instructions at https://access.redhat.com/solutions/1232413 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* fix DNSSEC restore named stateMartin Basti2014-10-211-2/+2
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* updater: enable uid uniqueness plugin for posixAccountsAlexander Bokovoy2014-10-212-0/+116
| | | | | | https://fedorahosted.org/freeipa/ticket/4636 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: add files to backupMartin Basti2014-10-211-0/+11
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: modify named service to support dnssecMartin Basti2014-10-211-11/+51
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-211-2/+29
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: platform paths and servicesMartin Basti2014-10-211-0/+3
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: opendnssec servicesMartin Basti2014-10-212-0/+478
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-212-1/+485
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: schemaMartin Basti2014-10-211-0/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Add mask, unmask methods for serviceMartin Basti2014-10-211-0/+9
| | | | | | | This patch allows mask and unmask services in IPA Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-201-0/+11
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Configure IPA OTP Last Token plugin on upgradeNathaniel McCallum2014-10-201-4/+0
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* dns: fix privileges' memberof during dns installPetr Vobornik2014-10-171-0/+30
| | | | | | | | | | Permissions with member attrs pointing to privileges are created before the privileges. Run memberof plugin task to fix other ends of the relationships. https://fedorahosted.org/freeipa/ticket/4637 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-174-23/+31
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Stop dogtag when updating its configuration in ipa-upgradeconfig.David Kupka2014-10-151-0/+3
| | | | | | | | | Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 14:03:45 +0000