It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.
https://fedorahosted.org/freeipa/ticket/4621
Reviewed-By: David Kupka <dkupka@redhat.com>
These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.
https://fedorahosted.org/freeipa/ticket/4624
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.
https://fedorahosted.org/freeipa/ticket/4586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In previous versions (before moving certmonger.py to DBus) it was set and some
tools and modules depends on it. For example: ipa-getcert uses this to filter
freeipa certificates.
https://fedorahosted.org/freeipa/ticket/4618
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.
SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454
Resolves https://fedorahosted.org/freeipa/ticket/4509
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.
Patch fixes ipactl to use integers for ordering.
Reviewed-By: David Kupka <dkupka@redhat.com>
SSSD does not support sudo rules for local users;
these should be added in a local sudoers file.
https://fedorahosted.org/freeipa/ticket/4608
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.
https://fedorahosted.org/freeipa/ticket/4597
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Usual link columns are link with primary key of current entity.
This patch allows to create a link to arbitrary non-nested entity.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
