mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Merge branch 'upstream'
This commit is contained in:
commit
59e3ec9726
2
VERSION
2
VERSION
@ -20,7 +20,7 @@
|
||||
########################################################
|
||||
IPA_VERSION_MAJOR=4
|
||||
IPA_VERSION_MINOR=0
|
||||
IPA_VERSION_RELEASE=4
|
||||
IPA_VERSION_RELEASE=5
|
||||
|
||||
########################################################
|
||||
# For 'pre' releases the version will be #
|
||||
|
@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
|
||||
/* Try to do OTP first. */
|
||||
syncreq = sync_request_present(pb);
|
||||
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
|
||||
slapi_entry_free(entry);
|
||||
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
||||
NULL, NULL, 0, NULL);
|
||||
return 1;
|
||||
}
|
||||
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
|
||||
goto invalid_creds;
|
||||
|
||||
/* Ensure that there is a password. */
|
||||
if (credentials->bv_len == 0)
|
||||
goto invalid_creds;
|
||||
|
||||
/* Authenticate the user. */
|
||||
ret = ipapwd_authenticate(dn, entry, credentials);
|
||||
@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
}
|
||||
|
||||
/* Attempt to handle a token synchronization request. */
|
||||
if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
|
||||
slapi_entry_free(entry);
|
||||
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
||||
NULL, NULL, 0, NULL);
|
||||
return 1;
|
||||
}
|
||||
if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
|
||||
goto invalid_creds;
|
||||
|
||||
/* Attempt to write out kerberos keys for the user. */
|
||||
ipapwd_write_krb_keys(pb, dn, entry, credentials);
|
||||
|
||||
slapi_entry_free(entry);
|
||||
return 0;
|
||||
|
||||
invalid_creds:
|
||||
slapi_entry_free(entry);
|
||||
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
||||
NULL, NULL, 0, NULL);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Init pre ops */
|
||||
|
@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
|
||||
add: schema-compat-ignore-subtree: cn=changelog
|
||||
add: schema-compat-ignore-subtree: o=ipaca
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
# Change padding for host and userCategory so the pad returns the same value
|
||||
# as the original, '' or -.
|
||||
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
|
||||
add: schema-compat-ignore-subtree: cn=changelog
|
||||
add: schema-compat-ignore-subtree: o=ipaca
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
|
||||
default:schema-compat-entry-attribute: objectclass=ieee802Device
|
||||
default:schema-compat-entry-attribute: cn=%{fqdn}
|
||||
default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
||||
add: schema-compat-ignore-subtree: cn=changelog
|
||||
add: schema-compat-ignore-subtree: o=ipaca
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=changelog
|
||||
add: schema-compat-ignore-subtree: o=ipaca
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=changelog
|
||||
add: schema-compat-ignore-subtree: o=ipaca
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
# We need to run schema-compat pre-bind callback before
|
||||
|
@ -889,3 +889,9 @@ class LDAPUpdate:
|
||||
self._run_updates(updates)
|
||||
|
||||
return self.modified
|
||||
|
||||
def close_connection(self):
|
||||
"""Close ldap connection"""
|
||||
if self.conn:
|
||||
self.conn.unbind()
|
||||
self.conn = None
|
||||
|
@ -122,6 +122,9 @@ class updateclient(backend.Executioner):
|
||||
for update in self.order(updatetype):
|
||||
(restart, apply_now, res) = self.run(update.name, **kw)
|
||||
if restart:
|
||||
# connection has to be closed before restart, otherwise
|
||||
# ld instance will try to reuse old non-valid connection
|
||||
ld.close_connection()
|
||||
self.restart(dm_password, live_run)
|
||||
|
||||
if apply_now:
|
||||
|
Loading…
Reference in New Issue
Block a user