summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA 3.1.5release-3-1-5Martin Kosek2013-06-031-0/+1
| | | | | | NOTE: "release-3-1-5" tag is going to be re-tagged to this commit due to missing important fix for IPA CLDAP responder (4f8cce7ba114cc13aceecfab3420c63cb26342fa).
* Fix cldap parser to work with a single equality filter (NtVer=...)Alexander Bokovoy2013-05-301-12/+14
| | | | https://fedorahosted.org/freeipa/ticket/3639
* Become IPA 3.1.5Martin Kosek2013-05-281-1/+1
|
* CLDAP: Return empty reply on non-fatal errorsSimo Sorce2013-05-281-6/+18
| | | | | | | | | | | | | | | Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* CLDAP: Fix domain handling in netlogon requestsSimo Sorce2013-05-281-28/+39
| | | | | | | | | | | | | 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
* Remove leading zero from IPA_NUM_VERSIONPetr Viktorin2013-05-142-1/+18
| | | | | | | The numeric IPA_NUM_VERSION contained a leading zero, so it was treated as octal value in Python code instead of decimal. https://fedorahosted.org/freeipa/ticket/3622
* Become IPA 3.1.4release-3-1-4Martin Kosek2013-05-071-1/+1
|
* Specify the location for the agent PKCS#12 file so we don't have to move it.Rob Crittenden2013-05-061-3/+1
| | | | | | | Dogtag 10.0.2 changed the default location for this file from /root/.pki to /root/.dogtag which broke our install. https://fedorahosted.org/freeipa/ticket/3599
* Update pki proxy configurationMartin Kosek2013-05-061-2/+2
| | | | | | | Replicas with Dogtag pki-ca 10.0.2 CA require access to additional Dogtag REST API calls. Update pki proxy configuration to allow that. https://fedorahosted.org/freeipa/ticket/3601
* Drop uniqueMember mapping with nss-pam-ldapd.Rob Crittenden2013-05-022-1/+9
| | | | | | | | | | nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to member so it is no longer needed in the config file, and in fact causes an error to be raised. Add a Conflicts on older versions. https://fedorahosted.org/freeipa/ticket/3589
* Add support for OpenSSH 6.2.Jan Cholasta2013-04-302-21/+81
| | | | | | | Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
* Add userClass attribute for hostsMartin Kosek2013-04-266-5/+39
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Allow underscore in record targetsTomas Babej2013-04-252-3/+3
| | | | | | | Makes record target validation less strict and allows underscore. This is requirement for IPA sites. https://fedorahosted.org/freeipa/ticket/3550
* Add missing permissions to Host Administrators privilegeAna Krivokapic2013-04-241-0/+8
| | | | | | | | The 'Host Administrators' privilege was missing two permissions ('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing the inability to remove a host with a certificate. https://fedorahosted.org/freeipa/ticket/3585
* Handle socket.gethostbyaddr() exceptions when verifying hostnames.Rob Crittenden2013-04-241-0/+2
| | | | | | | | | | Log any socket exceptions raised and let the process continue. This failure isn't a show-stopper. Other checks past this will catch any other problems. This was seen when /etc/hosts and /etc/resolv.conf were both empty. https://fedorahosted.org/freeipa/ticket/3581
* Fix the spec fileAna Krivokapic2013-04-221-1/+1
| | | | | | Correct ownership for /etc/ipa and remove unnecessary %config directive. https://fedorahosted.org/freeipa/ticket/3551
* Handle missing /etc/ipa in ipa-client-installAna Krivokapic2013-04-192-1/+10
| | | | | | | | Make sure /etc/ipa is created and owned by freeipa-python package. Report correct error to user if /etc/ipa is missing during client installation. https://fedorahosted.org/freeipa/ticket/3551
* Use two digits for each part of NUM_VERSIONPetr Viktorin2013-04-191-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/3545
* Use correct zone when removing DNS records of a master.Jan Cholasta2013-04-181-3/+2
| | | | https://fedorahosted.org/freeipa/ticket/3563
* Do not use new LDAP API in old code.Jan Cholasta2013-04-161-2/+2
|
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.Jan Cholasta2013-04-161-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-166-53/+142
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-129-256/+86
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Remove any reference to HBAC source hosts from helpAna Krivokapic2013-04-122-12/+10
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Remove HBAC source hosts from web UIAna Krivokapic2013-04-123-94/+0
| | | | https://fedorahosted.org/freeipa/ticket/3528
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Do actually stop pki_cad in stop_pkicad instead of starting it.Jan Cholasta2013-04-091-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3554
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* Display full command documentation in online helpPetr Viktorin2013-04-032-1/+28
| | | | | | | | | | ipa <command> -h only showed the summary string, not the full help. Use the full docstring. Add a custom help formatter that disables optparse's reformatting. Test included https://fedorahosted.org/freeipa/ticket/3543
* Require 389-base-base 1.3.0.5Martin Kosek2013-04-021-1/+8
| | | | | | | | | Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540
* Properly handle ipa-replica-install when its zone is not managed by IPATomas Babej2013-04-021-6/+16
| | | | | | | | | The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496
* ipa-pwd-extop: do not use dn until it is really setSumit Bose2013-04-021-20/+20
| | | | https://fedorahosted.org/freeipa/ticket/3539
* Enhance ipa-adtrust-install for domains with multiple IPA serverAlexander Bokovoy2013-04-021-8/+36
| | | | | | | | | | As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. Only these servers will be advertised as SMB domain controllers https://fedorahosted.org/freeipa/ticket/2189
* Add mkhomedir option to ipa-server-install and ipa-replica-installAna Krivokapic2013-03-284-0/+22
| | | | | | | Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515
* Become 3.1.3release-3-1-3Martin Kosek2013-03-261-1/+1
|
* Bump selinux-policy requiresMartin Kosek2013-03-261-1/+4
| | | | | | The higher version is reported to fix a Fedora 17 to 18 upgrade issue. https://fedorahosted.org/freeipa/ticket/3399
* Add logging to join commandTomas Babej2013-03-251-6/+20
| | | | | | | | | The following is mentioned in the log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481
* Use default NETBIOS name in unattended ipa-adtrust-installAna Krivokapic2013-03-221-1/+4
| | | | | | | | Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-224-0/+43
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Add 389 DS plugin for special idnsSOASerial attribute handlingPetr Spacek2013-03-225-0/+255
| | | | | | | | | Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com>
* Load extension.js after UI AMD modules.Petr Vobornik2013-03-221-3/+6
| | | | | | | | This patch is fix for upcoming ipa-3-1 minor release. Loading of extension.js was removed with introduction of AMD modules. This patch returns the feature to avoid regressions. In 3.2 it will be handled differently (multiple plugins).
* Added Web UI support for service PAC type option: NONEPetr Vobornik2013-03-221-1/+1
| | | | | | Checkbox for NONE option was added. https://fedorahosted.org/freeipa/ticket/3404
* Process exceptions when talking to DogtagAlexander Bokovoy2013-03-211-1/+4
| | | | | | | | | | The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492
* Improve client install LDAP cert retrieval fallbackMartin Kosek2013-03-211-1/+1
| | | | | | | | CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512
* Use temporary CCACHE in ipa-client-installMartin Kosek2013-03-211-0/+7
| | | | | | | | ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512
* ipa-client discovery with anonymous access offMartin Kosek2013-03-201-5/+1
| | | | | | | | | | | | | When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519
* Realm Domains pageAna Krivokapic2013-03-189-7/+190
| | | | | | Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407
* Web UI:Choose different search option for cert-findPetr Vobornik2013-03-185-4/+140
| | | | | | | | | | This extends certificate search page by search option select. Therefore the search is not restricted to 'subject'. It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a future. https://fedorahosted.org/freeipa/ticket/3419
* Web UI:Certificate pagesPetr Vobornik2013-03-1813-31/+621
| | | | | | | | | | | | | | | | | Following pages were added to Web UI: * certificated details * certificate search Certificate is not regular object so it gets no metadata. Therefore artificial metadata were created for it to allow usage of search and details facet. Search and details facet were modified to allow removing of add/remove/update/ reset buttons - certificates have no mod operation and they are not added by standard means. User can revoke and restore certificated in details facet. https://fedorahosted.org/freeipa/ticket/3419
* Fix internal error for ipa show-mappingsAna Krivokapic2013-03-181-1/+1
| | | | | | The run() method of the show_mappings command was missing the **options parameter in its signature, causing the ipa show-mappings to fail with an internal error.
generated by cgit (git 2.34.1) at 2024-06-07 19:41:03 +0000