summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA v2.2.0 alpha 2 (2.1.90.pre2)alpha_2-2-1-90Rob Crittenden2012-02-151-1/+1
|
* Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema ↵Rob Crittenden2012-02-151-1/+5
| | | | | | replication. https://fedorahosted.org/freeipa/ticket/2118
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-154-7/+7
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Configure ipa_memcached when a replica is installed.Rob Crittenden2012-02-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2401
* Enable ipa_memcached when upgradingRob Crittenden2012-02-164-9/+41
| | | | | | | | | | Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* Disable false pylint error in freeipa-systemd-upgradeRob Crittenden2012-02-151-1/+1
|
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Remove Apache ccache on upgrade.Rob Crittenden2012-02-152-0/+7
| | | | | | | Make this removal a common function that can be shared between installer and upgrade tool. https://fedorahosted.org/freeipa/ticket/2395
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-152-7/+7
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-154-1/+15
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-157-18/+34
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-152-1/+76
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
* Redirection to PTR records from A,AAAA recordsPetr Voborník2012-02-153-2/+255
| | | | | | | | | | | | | | | | | | | Address column in A, AAAA DNS records was exented of redirection capabilities. Redirection dialog is shown after a click on a value. Dialog does following steps: 1) fetch all dns zones 2) find most accurate reverse zone for IP address 2 -fail) show error message, stop 3) checks if target record exists in the zone 3 -fail) show 'dns record create link', stop 4) redirects Click on 'dns record create link': 1) creates record 1 -fail) show error, stop 2) redirects https://fedorahosted.org/freeipa/ticket/1975
* UI support for ssh keysPetr Voborník2012-02-1515-26/+369
| | | | | | | | To user and host details pages was added ipasshpubkey attribute. New widget for ssh public keys was created. https://fedorahosted.org/freeipa/ticket/2340
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-148-91/+257
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* Don't use sets when calculating the modlist so order is preserved.Rob Crittenden2012-02-131-4/+5
| | | | | | | | | | | | This is for the LDAP updater in particular. When adding new schema order can be important when one objectclass depends on another via SUP. This calculation will preserve the order of changes in the update file. Discovered trying to add SSH schema. https://fedorahosted.org/freeipa/ticket/754
* Move the compat module from ipalib to ipapython.Jan Cholasta2012-02-135-4/+4
| | | | | | Fixes import problems trying to import just ipalib/compat.py. https://fedorahosted.org/freeipa/ticket/754
* Add SSH service to platform-specific services.Jan Cholasta2012-02-133-4/+23
| | | | | | | | Add method for getting configuration directory path of a service, so that a different SSH configuration directory can be specified on different platforms. https://fedorahosted.org/freeipa/ticket/754
* Base64-decode unicode values in Bytes parameters.Jan Cholasta2012-02-133-9/+19
| | | | | | | | | | | Fix wrong handling of strings in --setattr/--addattr/--delattr. These changes make it possible to use Bytes in --setattr/--addattr/ --delattr without errors. Fixes managing SSH keys on command-line https://fedorahosted.org/freeipa/ticket/754
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-136-0/+142
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-137-3/+86
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Move the nsupdate functionality to separate function in ipa-client-install.Jan Cholasta2012-02-131-18/+26
| | | | | | Done as part of adding SSH support. https://fedorahosted.org/freeipa/ticket/1634
* Add API initialization to ipa-client-install.Jan Cholasta2012-02-132-10/+30
| | | | | | | | This change makes it possible to call IPA commands from ipa-client-install. Done to support adding SSH host keys to DNS. https://fedorahosted.org/freeipa/ticket/1634
* Add support for SSH public keys to user and host objects.Jan Cholasta2012-02-138-35/+192
| | | | | | | | | | | This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-134-0/+52
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-135-0/+29
| | | | https://fedorahosted.org/freeipa/ticket/754
* Internationalization for HBAC and ipalib.outputPetr Viktorin2012-02-143-13/+13
| | | | | | | | | | | * hbacrule: Internationalize HBAC rule "all" category exceptions https://fedorahosted.org/freeipa/ticket/2267 * hbactest: Use internationalized names (doc) instead of names for output items Also don't convert result to bool, `not` does it implicitly * ipalib.output: Internationalize descriptions of some standard entries
* Removed question marks from field labelsPetr Voborník2012-02-142-4/+4
| | | | | | | In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group". In host search facet, the "Enrolled?" was replaced with "Enrolled". https://fedorahosted.org/freeipa/ticket/2353
* Fixed entity link disablingPetr Vobornik2012-02-141-2/+6
| | | | | | | | | | Problem: Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state. Fixed: The link is disabled when target doesn't exist. https://fedorahosted.org/freeipa/ticket/2364
* Add Petr Viktorín to Contributors.txtMartin Kosek2012-02-101-0/+1
|
* Clean up i18n stringsPetr Viktorin2012-02-105-19/+21
| | | | | | | | | | | This patch switches to named ("%(name)s") instead of positional ("%s") substitutions for internationalized strings, so translators can reorder the words. This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no longer gives warnings). Also, some i18n calls are rewritten to translate the template before substitutions, not after.
* Fixed ipa.js for sessions.Endi S. Dewata2012-02-091-8/+9
| | | | | | | | | | The patch fixes a problem in error_handler_login() when it gets an error other than 401. The login_url is not needed for fixtures because it does not need authentication. The patch also fixes jslint warnings and formatting issues.
* add session manager and cache krb authJohn Dennis2012-02-0912-31/+1843
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Add ipa_memcached serviceJohn Dennis2012-02-098-0/+189
| | | | | | | | | | | | | | | | | | | | | | | * Adds ipa_memcached SystemV initscript * Adds ipa_memcached service file and tmpfiles.d/ipa.conf to recreate /var/run/ipa_memcached on reboot. * Adds ipa_memcached config file * Adds memcacheinstnace.py to manage ipa_memcaced as as SimpleService object. * Updates the IPA service list to include ipa_memcached, at service positon 39, httpd is position 40 * Updates the spec file: - requires the memcached daemon and python client - installs service or initscripts depending on OS - installs config file - creates /var/run/ipa_memcached directory * Modifies ipa-server-install to install ipa_memcached
* Adopt to python-ldap 2.4.6 by removing unused references which are not ↵Alexander Bokovoy2012-02-081-1/+1
| | | | available in python-ldap anymore
* Handle upgrade issues with systemd in Fedora 16 and aboveAlexander Bokovoy2012-02-083-21/+113
| | | | | | | | | | | | Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are configured via /etc/sysconfig/dirsrv.systemd. It means logic change in systemd/fedora16 platform of FreeIPA. Additionally, existing installs need to be handled during upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300
* Add management of inifiles to allow manipulation of systemd unitsAlexander Bokovoy2012-02-081-1/+99
| | | | | | | | | | | inifile_replace_variables() works similar to config_replace_variables() but allows to apply changes to specific section of an inifile. Inifiles are commonly used by freedesktop.org software and particularly used by systemd. When modifying inifile, all changes will be applied to specific section. Also fixes corner case in config_replace_variables() which would dublicate variables when adding them.
* Honor default home directory and login shell in user_addPetr Viktorin2012-02-093-13/+140
| | | | | | | | | | | | | | | | The homedirectory argument had a default_from '/home/<name>', ignoring the ipahomesrootdir config setting. This patch removes that default, and adds a test case for ipahomesrootdir. https://fedorahosted.org/freeipa/ticket/2332 The login shell had the same problem. Again this patch removes the client-side default and adds a test. Building the home directory from the default is changed to use posixpath.join instead of string formatting and ad-hoc cleanup, and to use '/home' instead of failing when the ipahomesrootdir setting is not present for some reason.
* Make ipaconfigstring modifiable by users.Rob Crittenden2012-02-093-6/+9
| | | | | | | | | | | Convert from a freeform string into a enumeration. Only values currently allowed are AllowLMhash and AllowNThash. To add more than one value on the command-line either specify --ipaconfigstring multiple times or add the values comma-separated. https://fedorahosted.org/freeipa/ticket/1433
* Memberof attribute control and updateOndrej Hamada2012-02-083-15/+90
| | | | | | | | | | | | | | | Checking of parameters used by _make_aci funcion was rewritten. Additional attributes of ACI(type, attribute, memberof, targetgroup, subtree, filter) could be unset. Permission plugin now allows to unset memberof value. https://fedorahosted.org/freeipa/ticket/2255 Added checking of existence of groups that are specified in permission and delegation module. https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305
* Consolidate external member code into two functions in baseldap.pyRob Crittenden2012-02-085-283/+95
| | | | | | | | | | External members (users and hosts) are assumed when doing member management on certain attributes. If the member isn't in IPA it is assumed to be external. When doing member management we need to sift through the list of failures and pull out all those that were simply not found in IPA. https://fedorahosted.org/freeipa/ticket/1734
* ignore generated services file.Adam Young2012-02-071-1/+1
|
* Remove delegation from browser configAdam Young2012-02-071-1/+0
|
* Remove unused options from ipa-managed-entriesMartin Kosek2012-02-071-3/+0
| | | | | | | ipa-managed-entries contain auto-generated options that are not used in the script and may just confuse users. Remove them. https://fedorahosted.org/freeipa/ticket/2347
* Fix/add options in ipa-managed-entries man pagePetr Viktorin2012-02-071-2/+5
| | | | | | | * The --entry option was wrongly listed as --entries; fix that. https://fedorahosted.org/freeipa/ticket/2277 * Add the --help option
* Automember UI - Fixed I18n labelsPetr Voborník2012-02-074-19/+49
| | | | | | | Hard-coded labels in Automember UI have been moved into internal.py to allow translation. https://fedorahosted.org/freeipa/ticket/2195
generated by cgit (git 2.34.1) at 2024-06-07 04:57:36 +0000