When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.
https://fedorahosted.org/freeipa/ticket/4102
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.
Part of: https://fedorahosted.org/freeipa/ticket/3306
IPA client installation did not preserve the status of nscd and nslcd services
correctly. E.g. nscd would be started after uninstallation, even though it
wasn't running before client installation. Make sure the state of services is
saved before installation and correctly restored after uninstallation.
https://fedorahosted.org/freeipa/ticket/3790
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
When output_for_cli was called directly, rather than for values
received through XML or JSON API, joining multiple values failed
on non-strings such as DN objects.
Convert output to strings before printing it out.
On sysrestore failure, user is prompted out to remove the sysrestore
file. However, the path to the sysrestore file mentioned in the
sentence is not correct.
https://fedorahosted.org/freeipa/ticket/4080
ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.
512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
Lists and tuples are already allowed for convenience; it is easier to write
(1, 2, 3) or [1, 2, 3] than frozenset([1, 2, 3]).
This allows the set literal syntax, {1, 2, 3}, as well.
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.
Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.
https://fedorahosted.org/freeipa/ticket/4067
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
The driver only checked if the corresponding value was in the config, so
no_dns: False
had the same effect as
no_dns: True
Change the check to take the value into consideration.
This makes false-y values like False (from YAML) and empty string
(from environment) work as if the value was not specified.
Clean up the .gitignore file:
- Remove no longer used .gitignore entries, like .bzr files
- Do not repeat autotools generated files over and over again
- Whitelist existent Makefiles in the repository
- Better separate the .gitignore entries
The ipa-client-install script and ipa-join use different methods
of resolving the hostname, the former uses gethostbyaddr() call,
while the latter reads the "uinfo.nodename".
This can result ipa-client-install failures in case of broken PTR
records.
https://fedorahosted.org/freeipa/ticket/4027