ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.
Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.
This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957
Reviewed-By: Martin Basti <mbasti@redhat.com>
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933
Reviewed-By: Martin Basti <mbasti@redhat.com>
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.
https://fedorahosted.org/freeipa/ticket/4896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid
* remove unneded update plugins -> update was moved to .update file
* add uniqueness-across-all-subtrees required by user lifecycle
management
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes:
dnskeysyncisntance - requires a stored state to be uninstalled
bindinstance - uninstal service only if bind was configured by IPA
Ticket:https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to https://fedorahosted.org/freeipa/ticket/4487.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The framework only shows traceback for the internal/unknown errors,
recognized PublicErrors are simply passed back to the FreeIPA
clients.
However, sometimes it would help to see a traceback of the
PublicError to for example see exactly which line returns it.
https://fedorahosted.org/freeipa/ticket/4847
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
Reviewed-By: David Kupka <dkupka@redhat.com>
Fix restore mode checks. Do some of the existing checks earlier to make them
effective. Check if --instance and --backend exist both in the filesystem and
in the backup.
Log backup type and restore mode before performing restore.
Update ipa-restore man page.
https://fedorahosted.org/freeipa/ticket/4797
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When restoring backup on master other than it was created there is high risk
of unexpected and hard-to-debug behavior. Refuse such restore.
https://fedorahosted.org/freeipa/ticket/4823
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.
Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This hasn't been used for a number of releases now, as ipa-kdb directly
fetches the key via LDAP.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Interactive prompt callback returns list of str instead of CheckedIPAddress
instances.
Ticket: https://fedorahosted.org/freeipa/ticket/4747
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
https://fedorahosted.org/freeipa/ticket/4726
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
