IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
8,378 Commits 11 Branches 60 Tags
67b2b3408579814f7ff307cfd20bc4250edbea15
Commit Graph

8378 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Petr Vobornik
baca55c665 webui: adjust user deleter dialog to new api 
In user_del, flags 'permanently' and 'preserve' were replaced with single
bool option 'preserve'

part of: https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-18 15:50:44 +02:00
Jan Cholasta
1d60825138 User life cycle: change user-del flags to be CLI-specific 
Rename --permanently to --no-preserve.

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2015-06-18 15:48:53 +02:00
Martin Babinsky
3bea441808 add DS index for userCertificate attribute 
'eq' and 'pres' indices for userCertificate attribute allow for more efficient
lookup and matching of binary certificates assigned to users, hosts, and
services.

Part of http://www.freeipa.org/page/V4/User_Certificates

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-18 15:42:03 +02:00
Petr Spacek
b5b8dd6cec Clarify error messages in ipa-replica-prepare: add_dns_records() 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-18 15:01:31 +02:00
Petr Spacek
6259be5fd6 Clarify recommendation about --ip-address option in ipa-replica-prepapre 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-18 15:01:31 +02:00
Petr Spacek
3c95a5aea2 Improve error messages about reverse address resolution in ipa-replica-prepare 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-18 15:01:31 +02:00
Jan Cholasta
c3a3d789b5 install: Fix ipa-replica-install not installing RA cert 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-18 14:48:31 +02:00
Martin Basti
3ababb763b DNS: add UnknownRecord to schema 
defintion of UnknownRecord attributetype

https://fedorahosted.org/freeipa/ticket/4939

Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-06-18 14:37:28 +02:00
Petr Spacek
e29f85344c Bump run-time requires to SoftHSM 2.0.0rc1. 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2015-06-18 14:36:06 +02:00
Nathaniel McCallum
4dfa23256d Fix OTP token URI generation 
Google Authenticator fails if the algorithm is not uppercase.

https://fedorahosted.org/freeipa/ticket/5047

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2015-06-17 16:46:25 +02:00
Jan Cholasta
69607250b9 User life cycle: provide preserved user virtual attribute 
https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2015-06-15 16:13:22 +02:00
Petr Vobornik
e9e4509b10 ipa-replica-manage: adjust del to work with managed topology 
Introduces new method for deletion of replica. This method is used if
managed topology is enabled.

part of https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 16:06:48 +02:00
Petr Vobornik
d58bdf29a5 server: add "del" command 
this command is internal and is supposed to be used by ipa-replica-managed to
delete replica.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 16:06:48 +02:00
Petr Vobornik
45dccedd12 ipa-replica-manage: Do not allow topology altering commands from DL 1 
With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Exception is creation/deletion of winsync agreement.

Part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 15:02:06 +02:00
Petr Vobornik
4137f2a8ed regenerate ACI.txt after stage user permission rename 
./makeaci was not run
 2015-06-15 10:23:45 +02:00
Martin Basti
c1d484afde Server Upgrade: disconnect ldap2 connection before DS restart 
Without this patch, the invalid api.Backend.ldap2 connection
was used to communicate with DS and it raises network error
after DS restart.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 09:54:04 +02:00
Thierry Bordaz
44cced658b Stage User: Fix permissions naming and split them where apropriate. 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2015-06-15 09:52:42 +02:00
Martin Basti
f763b137ee DNSSEC: fix traceback during shutdown phase 
ipa-dnskeysyncd causes traceback when receive SIGTERM, SIGINT

Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-06-15 09:43:51 +02:00
Petr Vobornik
bb6c0b9c63 topology: fix swapped topologysegment-reinitialize behavior 
setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the
right node and not the left node. This patch fixes API to match the
behavior.

part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 09:41:48 +02:00
Petr Vobornik
6b153ba876 topology: restrict direction changes 
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
  direction
- downgrade of direction

These situations are now forbidden in API.

part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-15 09:38:46 +02:00
Jan Cholasta
bae80b00a6 install: Fix logging setup in server and replica install 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-12 05:46:31 +00:00
Petr Spacek
d84680473b DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures. 
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 16:08:42 +02:00
Ludwig Krispenz
056518ab1a v2-reject modifications of endpoints and connectivity of a segment 
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
 2015-06-11 13:58:02 +02:00
Ludwig Krispenz
b3c2a4b810 make sure the agremment rdn match the rdn used in the segment 
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
 2015-06-11 13:58:02 +02:00
Petr Vobornik
5089dde2cd disallow mod of topology segment nodes 
Mod of segment end will be disallowed in topology plugin.

Reasoning (by Ludwig):  if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
  A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.

part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-11 13:39:09 +02:00
Martin Basti
6a92b32bf2 Revert 389-DS BuildRequires version to 1.3.3.9 
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
 2015-06-11 13:21:27 +02:00
Petr Spacek
40680fd2a9 Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. 
SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with
Blowfish mechanisms.

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 13:19:17 +02:00
David Kupka
4d05b5d18d Use 389-ds centralized scripts. 
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.

https://fedorahosted.org/freeipa/ticket/4051

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 13:16:06 +02:00
Martin Basti
f8c8c360f1 DNSSEC: validate forward zone forwarders 
Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-06-11 13:12:31 +02:00
Martin Basti
9aa6124b39 DNSSEC: Improve global forwarders validation 
Validation now provides more detailed information and less false
positives failures.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-06-11 13:12:31 +02:00
Petr Vobornik
c9cbb1493a rename topologysegment_refresh to topologysegment_reinitialize 
https://fedorahosted.org/freeipa/ticket/5056

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-11 13:08:34 +02:00
Fraser Tweedale
947af1a037 Enforce CA ACLs in cert-request command 
This commit adds CA ACL enforcement to the cert-request command and
uses the pyhbac machinery.

It is planned to implement ACL enforcement in Dogtag in a future
release, and remove certificate issuance privileges and CA ACL
enforcement responsibility from the framework.  See
https://fedorahosted.org/freeipa/ticket/5011 for more information.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 10:50:31 +00:00
Fraser Tweedale
bc0c606885 Add CA ACL plugin 
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 10:50:31 +00:00
Petr Vobornik
ae56ca422d webui: make topology suffices UI readonly 
Admins should not modify topology suffices. They are created on
install/upgrade.

part of: https://fedorahosted.org/freeipa/ticket/4997

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-11 12:21:47 +02:00
Petr Vobornik
99ce650b59 add entries required by topology plugin on update 
These entries were not added on upgrade from old IPA servers and on replica
creation.

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-11 12:10:40 +02:00
Petr Vobornik
7cf82cf9aa move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX 
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-06-11 12:10:40 +02:00
Jan Cholasta
e7ac57e139 vault: Fix ipa-kra-install 
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 16:17:34 +00:00
Jan Cholasta
cbcd86b500 install: Initialize API early in server and replica install 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 16:17:34 +00:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra 
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 16:17:34 +00:00
Ludwig Krispenz
777a9500ce check for existing and self referential segments 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
 2015-06-10 14:32:26 +02:00
Petr Vobornik
2661a860e0 topology: hide topologysuffix-add del mod commands 
Suffices are created on installation/upgrade. Users should not
modify them.

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2015-06-10 14:16:03 +02:00
Petr Vobornik
4232c39f67 topology: allow only one node to be specified in topologysegment-refresh 
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2015-06-10 14:14:09 +02:00
Endi S. Dewata
62ef11efad Fixed KRA installation problem. 
The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.

https://fedorahosted.org/freeipa/ticket/5058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2015-06-10 08:37:40 +00:00
Jan Cholasta
46cbe26b51 install: Migrate ipa-replica-install to the install framework 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 07:29:58 +00:00
Jan Cholasta
6f1ae05d8d install: Allow setting usage in CLI tools 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 07:29:58 +00:00
Jan Cholasta
eb0251c56b install: Add support for positional arguments in CLI tools 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 07:29:58 +00:00
Jan Cholasta
1bf383e0cf install: Handle Knob cli_name and cli_aliases values consistently 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 07:29:58 +00:00
Simo Sorce
f530886193 Fix s4u2proxy README and add warning 
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.

Reviewed-by: Rob Crittenden <rcritten@redhat.com>
 2015-06-08 14:37:29 -04:00
Jan Cholasta
eb959221e1 install: Migrate ipa-server-install to the install framework 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-08 15:34:11 +00:00
Jan Cholasta
9e9c01fba2 install: Introduce installer framework ipapython.install 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-08 15:34:11 +00:00