| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
NOTE: "release-3-1-5" tag is going to be re-tagged to this commit
due to missing important fix for IPA CLDAP responder
(4f8cce7ba114cc13aceecfab3420c63cb26342fa).
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3639
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.
On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.
Fixes: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.
Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
The numeric IPA_NUM_VERSION contained a leading zero, so it was treated
as octal value in Python code instead of decimal.
https://fedorahosted.org/freeipa/ticket/3622
|
| |
|
|
|
|
|
|
|
| |
Dogtag 10.0.2 changed the default location for this file from /root/.pki
to /root/.dogtag which broke our install.
https://fedorahosted.org/freeipa/ticket/3599
|
|
|
|
|
|
|
| |
Replicas with Dogtag pki-ca 10.0.2 CA require access to additional
Dogtag REST API calls. Update pki proxy configuration to allow that.
https://fedorahosted.org/freeipa/ticket/3601
|
|
|
|
|
|
|
|
|
|
| |
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.
Add a Conflicts on older versions.
https://fedorahosted.org/freeipa/ticket/3589
|
|
|
|
|
|
|
| |
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.
https://fedorahosted.org/freeipa/ticket/3571
|
|
|
|
|
|
|
|
|
| |
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.
Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
|
|
|
|
|
|
|
| |
Makes record target validation less strict and allows underscore.
This is requirement for IPA sites.
https://fedorahosted.org/freeipa/ticket/3550
|
|
|
|
|
|
|
|
| |
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.
https://fedorahosted.org/freeipa/ticket/3585
|
|
|
|
|
|
|
|
|
|
| |
Log any socket exceptions raised and let the process continue. This
failure isn't a show-stopper. Other checks past this will catch any
other problems.
This was seen when /etc/hosts and /etc/resolv.conf were both empty.
https://fedorahosted.org/freeipa/ticket/3581
|
|
|
|
|
|
| |
Correct ownership for /etc/ipa and remove unnecessary %config directive.
https://fedorahosted.org/freeipa/ticket/3551
|
|
|
|
|
|
|
|
| |
Make sure /etc/ipa is created and owned by freeipa-python package.
Report correct error to user if /etc/ipa is missing during client installation.
https://fedorahosted.org/freeipa/ticket/3551
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3545
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3563
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.
Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3552
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3554
|
|
|
|
|
|
|
|
| |
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
|
|
|
|
|
|
|
|
|
|
| |
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
|
|
|
|
|
|
|
|
|
| |
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
|
|
|
|
|
|
|
|
|
| |
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
|
|
|
|
|
|
| |
As described on http://www.freeipa.org/page/V3/MultipleTrustServers,
notice if FreeIPA server is a replica and adtrust agents contains members
corresponding to the cifs/ services from replication partners.
Only these servers will be advertised as SMB domain controllers
https://fedorahosted.org/freeipa/ticket/2189
|
|
|
|
|
|
|
| |
Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.
https://fedorahosted.org/freeipa/ticket/3515
|
| |
|
|
|
|
|
|
| |
The higher version is reported to fix a Fedora 17 to 18 upgrade issue.
https://fedorahosted.org/freeipa/ticket/3399
|
|
|
|
|
|
|
|
|
| |
The following is mentioned in the log now:
- existence of host entry (if it already does exist)
- missing krbprincipalname and its new value (if there was no
principal name set)
https://fedorahosted.org/freeipa/ticket/3481
|
|
|
|
|
|
|
|
| |
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.
https://fedorahosted.org/freeipa/ticket/3497
|
|
|
|
|
|
|
|
|
|
| |
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
|
|
|
|
|
|
|
|
|
| |
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
| |
This patch is fix for upcoming ipa-3-1 minor release.
Loading of extension.js was removed with introduction of AMD modules. This patch returns the feature to avoid regressions.
In 3.2 it will be handled differently (multiple plugins).
|
|
|
|
|
|
| |
Checkbox for NONE option was added.
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
|
|
|
|
|
|
| |
The problem is the ca_status() uses an HTTP GET operation to check Dogtag's
status. Under some circumstances Dogtag may take a long time to respond, so the
HTTP GET may time out much earlier than 2 minutes. And since the above code
doesn't catch the exception, the whole loop fails immediately, so it doesn't
wait for a full 2 minutes as expected.
https://fedorahosted.org/freeipa/ticket/3492
|
|
|
|
|
|
|
|
| |
CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
| |
ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.
Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.
https://fedorahosted.org/freeipa/ticket/3519
|
|
|
|
|
|
| |
Add support for Realm Domains to web UI.
https://fedorahosted.org/freeipa/ticket/3407
|
|
|
|
|
|
|
|
|
|
| |
This extends certificate search page by search option select. Therefore
the search is not restricted to 'subject'.
It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a
future.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following pages were added to Web UI:
* certificated details
* certificate search
Certificate is not regular object so it gets no metadata. Therefore artificial
metadata were created for it to allow usage of search and details facet.
Search and details facet were modified to allow removing of add/remove/update/
reset buttons - certificates have no mod operation and they are not added by
standard means.
User can revoke and restore certificated in details facet.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
| |
The run() method of the show_mappings command was missing
the **options parameter in its signature, causing the
ipa show-mappings to fail with an internal error.
|