We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.
https://fedorahosted.org/freeipa/ticket/3555
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.
The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.
Now updates are computed and applied in blocks of 10.
https://fedorahosted.org/freeipa/ticket/3377
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.
In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
Certificate parsed out of sslget request to pki-ca was not always
properly formatted and it may still contain DOS line ending. Make
sure that the certificate is printed with correct line ending.
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
Refactor the named.conf parsing and editing functions in bindinstance
so that both "dynamic-db" and "options" sections of named.conf can
be read and updated
https://fedorahosted.org/freeipa/ticket/3429
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Rangeshttps://fedorahosted.org/freeipa/ticket/3321
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.
Change CAInstance to behave correctly in two-step install.
Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.
https://fedorahosted.org/freeipa/ticket/3459
We want to store the raw value. Tools like ldapsearch will automatically
base64 encode the value because it's binary so we don't want to duplicate
that.
https://fedorahosted.org/freeipa/ticket/3477
The unbind and unbind_s functions do the same thing (both are synchronous).
In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
The find_entries method is cumbersome to use: it requires keyword arguments
for simple uses, and callers are tempted to ignore the 'truncated' flag
it returns.
Introduce a simpler method, get_entries, that returns the found
list directly, and raises an errors if the list is truncated.
Replace the getList method by get_entries.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
Instead of inheritance, the LDAPObject is kept in a `conn` attribute,
as the ldap2 class does it.
However, all IPASimpleLDAPObject methods are still available as before
(using __getattr__-based proxying).
Also, remove the IPAEntryLDAPObject class. The methods it overrode
were never called in ways that would make them behave differently than
the superclass.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
This decision used the api object, which might not be available
in installer code. Move the decision to callers.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
