freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
Jan Cholasta	db13494045	makeaci, makeapi: use in-server API Capture the server API rather than client API in API.txt. Client API may be affected by client-side plugins and thus may not correspond to what is transmitted over the wire. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-20 16:39:12 +02:00
Yuri Chornoivan	a95e0777ac	Fix minor typos Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-20 13:49:32 +02:00
Martin Babinsky	a540c909a7	Fix listing of enabled roles in `server-find` The roles can be thought of as membership attributes so we should only list them if `--all` is specified and `--no-members` is not. Also do not show them if `--raw` is passed in. https://fedorahosted.org/freeipa/ticket/5181 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 19:00:14 +02:00
Martin Babinsky	31ffe1a129	remove the master from managed topology during uninstallation In managed topology, calling `ipa-server-install --uninstall` will cause the master to remove itself from the topology by calling `server_del` behind the scenes. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
Martin Babinsky	47decc9b84	ipa-replica-manage: use `server_del` when removing domain level 1 replica `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
Martin Babinsky	081941a5b9	CI test suite for `server-del` these tests cover various scenarios such as: * trying to remove master that would disconnect topology in one of the suffixes * forcing master removal regardless of topology state before/after removal * trying to remove last CA/DNS server/DNSSec key master * forcing removal of the last DNSSec key master https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
Martin Babinsky	a6eb87bd68	server-del: perform full master removal in managed topology This patch implements most of the del_master_managed() functionality as a part of `server-del` command. `server-del` nows performs these actions: * check topology connectivity * check that at least one CA/DNS server and DNSSec masters are left after removal * cleanup all LDAP entries/attributes exposing information about the master * cleanup master DNS records * remove master and service principals * remove master entry from LDAP * check that all segments pointing to the master were removed `server-del` now accepts the following options: * `--force`: force master removal even if it doesn't exist * `--ignore-topology-disconnect`: ignore errors arising from disconnected topology before and after master removal * `--ignore-last-of-role`: remove master even if it is last DNS server, and DNSSec key master. The last CA will not be removed regardless of this option. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
Martin Babinsky	db882ae8d6	delegate removal of master DNS record and replica keys to separate functions https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
Martin Babinsky	d8ae2b4055	ipaserver module for working with managed topology This module should aggregate common functionality utilized in the commands managing domain-level 1 topology. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:55:19 +02:00
David Kupka	45bb2ad045	Remove unused locking "context manager" Class ods_db_lock is unused since August 2015. Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 18:27:22 +02:00
Martin Basti	8253727de1	DNS Locations: dnsserver: print specific error when DNS is not installed Print 'DNS is not configured' if there is no IPA DNS in domain https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	e82ce439c4	DNS Location: add list of roles and DNS servers to location-show Add to output list of DNS servers which advertise location and list fo roles per server https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	88ac58a1ce	upgrade: don't fail if zone does not exists in in find In case that zone is not managed by IPA, upgrade fails with not found error. Prevent failure in this case. Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	313e63e3e4	DNS Locations: generate NTP records Move NTP records to centralized record generator https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	4155eb7b13	DNS Locations: Rename ipalocationweight to ipaserviceweight Service weight explains better meaning of attribute than location weight, because location itself have no weight only services have. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	3c50e42036	DNS Locations: location-del: remove location record Remove unused location records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	bbf8227e3f	DNS Locations: do not generate location records for unused locations Location records for locations without assigned servers are useless and we should not generate them. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	b2931210eb	DNS Locations: prevent to remove used locations User should be notified that location is used by IPA server(s) and deletion should be aborted. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	8dde1201ed	DNS Locations: show warning if there is no DNS servers in location DNS servers must be in each location, otherwise DNS location without DNS server assigned will not work. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	1997733cdf	DNS Locations: require to restart named-pkcs11 affter location change Send a warning message that named-pkcs11 service must be restarted after changes related to locations or server weight https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Martin Basti	ef12cad30b	DNS Locations: set proper substitution variable DNS Server (bind-dyndb-ldap) needs to have set 'idnsSubstitutionVariable;ipalocation' in ldap to the proper location https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-17 18:05:03 +02:00
Florence Blanc-Renaud	4a7345e448	Always qualify requests for admin in ipa-replica-conncheck ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes <principal>@<master hostname> \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal admin@EXAMPLE.COM). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes -o User=<principal> \ <master hostname> echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-17 17:31:08 +02:00
Martin Basti	d70e52b61b	DNS Locations: dnsserver: remove config when replica is removed Configuration of DNS server should be removed together with any other information about replica https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	08265f1e92	DNS Locations: dnsserver: use the newer config way in installer Store some parts of DNS configuration in LDAP tree instead of named.conf https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	52590d6fa5	DNS Locations: dnsserver: put server_id option into named.conf The option server_id is required for DNS location feature, otherwise it will not work. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	2157ea0e6d	DNS Locations: dnsserver-* commands New commands for manipulation with DNS server configuration were added: * dnsserver-show * dnsserver-mod * dnsserver-find https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	88a0952f26	DNS Locations: dnsservers: add required objectclasses Objectclass: idnsServerConfigObject - stores configuration values for DNS servers Attributetype: idnsServerId - identifier of dns server (server hostname) https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	4076e8e4e5	DNS Locations: server-mod: add automatic records update For any location or server weight change is required to update records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	a7e463948d	DNS Locations: use automatic records update in ipa-adtrust-install DNS records for adtrust is added by call dns_update_system_records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	a5a6ceafcd	DNS Locations: adtrustinstance simplify dns management The path how to get IPA domain in code was somehow obfuscated, this patch simplifies and make clear what happened there with domain name. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	45a9326574	DNS Locations: use dns_update_service_records in installers use the dns_update_system_records command to set proper DNS records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	e23159596e	DNS Locations: command dns-update-system-records command dns-update-system-records updates/fixes DNS records for IPA services: * updating A, AAAA records for CA * updating SRV records for LDAP, kerberos and AD trust * updating TXT record in _kerberos with proper realm * updating dns locations if used https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	cf634a4ff8	DNS Locations: add ACI for template attribute DNS Servers and DNS Administrators must have access to 'idnsTemplateAttribute' to be able set/read template for generating CNAME records pointing to proper location records. Also user must be able to add objectclass for idnsTemplateAttribute https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	394b094fc2	DNS Locations: permission: allow to read status of services New permission was added: "System: Read Status of Services on IPA Servers" This permission is needed for detection which records should be created on which servers. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	87c23ba029	DNS Locations: DNS data management Adding module that allows to work with IPA DNS system records: * getting system records * updating system records * work with DNS locations https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	745a2e6471	DNS Locations: add idnsTemplateObject objectclass The objectclass and its related is used for generating cname records inside bind-dyndb-ldap, see design for more details https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	d7671ee667	DNS Locations: fix location-del The wrong option was used https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Martin Basti	0f5cca0e45	DNS Locations: add index for ipalocation attribute For performace ipalocation should be indexed because it is used by referint plugin https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-17 15:22:24 +02:00
Petr Spacek	85d083c366	Require 389-ds-base >= 1.3.5.6 Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-16 15:02:15 +02:00
Abhijeet Kasurde	6873ac5b03	Added missing translation to automount.py method Fixes: https://fedorahosted.org/freeipa/ticket/5920 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>	2016-06-16 08:57:55 +02:00
Yuri Chornoivan	dd6645afa9	Fix minor typos Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-16 08:47:20 +02:00
Stanislav Laznicka	8e3b7b24c1	Increase nsslapd-db-locks to 50000 Sometimes the lock table would run out of available locks. This should improve the lock table default configuration. https://fedorahosted.org/freeipa/ticket/5914 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>	2016-06-15 18:14:02 +02:00
Stanislav Laznicka	fb4e19713d	Fixes CA always being presented as running Even after manually stopping the pki-tomcatd service instance the service's is_running() method would still return True. https://fedorahosted.org/freeipa/ticket/5898 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2016-06-15 18:11:28 +02:00
Fraser Tweedale	01795fca83	upgrade: do not try to start CA if not configured The upgrade script always attempts to start the CA, even on instances where the CA is not configured. Add guards. Fixes: https://fedorahosted.org/freeipa/ticket/5958 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2016-06-15 17:17:22 +02:00
Jan Cholasta	d26e42ffb0	schema: fix client-side dynamic defaults Call command_defaults with properly typed arguments. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00
Jan Cholasta	a64aba36a4	schema: exclude local commands Commands inherited from Local can't be executed remotely, so exclude them from API schema. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00
Jan Cholasta	f7240c6df8	frontend: call `execute` rather than `forward` in Local This allows properly subclassing from both Local and other Command classes. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00
Jan Cholasta	448af06234	dns, passwd: fix outputs of `dns_resolve` and `passwd` commands Use proper output type for the `value` output of the commands. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00
Jan Cholasta	365d973763	misc: fix empty CLI output of `env` and `plugins` commands https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00
Jan Cholasta	e2a8290af1	batch, schema: use Dict instead of Any Add new Dict parameter class and use it in the batch and command_defaults plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>	2016-06-15 14:03:51 +02:00

1 2 3 4 5 ...

9627 Commits