This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.
https://fedorahosted.org/freeipa/ticket/3366http://freeipa.org/page/V3/OTP
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.
The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.
Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.
Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.
https://fedorahosted.org/freeipa/ticket/3302
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.
We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.
https://fedorahosted.org/freeipa/ticket/3549
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.
Add a Conflicts on older versions.
https://fedorahosted.org/freeipa/ticket/3589
There were cases where a base64-encoded cert with no header/footer would
not be handled properly and rejected. This was causing the CA install
to fail.
https://fedorahosted.org/freeipa/ticket/3586
Make sure /etc/ipa is created and owned by freeipa-python package.
Report correct error to user if /etc/ipa is missing during client installation.
https://fedorahosted.org/freeipa/ticket/3551
Require samba 4.0.5 (passdb API changed). Make sure that we use the
right epoch number with samba so that the Requires is correctly
enforced.
Require krb5 1.11.2-1 to fix missing PAC issue.
Also fix backup dir permissions.
Find out Kerberos middle version to infer ABI changes in DAL driver.
We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
cluttering rpm update output
* Remove httpd_conf constant which was not used
https://fedorahosted.org/freeipa/ticket/3502
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
- Automatically add a "Logging and output options" group with the --quiet,
--verbose, --log-file options.
- Set up logging based on these options; details are in the setup_logging
docstring and in the design document.
- Don't bind log methods as individual methods of the class. This means one
less linter exception.
- Make the help for command line options consistent with optparse's --help and
--version options.
Design document: http://freeipa.org/page/V3/Logging_and_output
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292https://fedorahosted.org/freeipa/ticket/3322
certmonger may provide new CAs, as in the case from upgrading IPA 2.2
to 3.x. We need these new CAs available during the upgrade process.
The certmonger package does its own condrestart as part of %postun
which runs after the %post script of freeipa-server, so we need to
restart it ourselves before upgrading.
https://fedorahosted.org/freeipa/ticket/3378
Rhino is needed for Web UI build. Rhino needs java, but from package perspective
java-1.7.0-openjdk requires rhino. So the correct BuildRequires is
java-1.7.0-openjdk.
Updated makefiles to comply to new directory structure and also to use builder
for building Web UI.
FreeIPA package spec is modified to use the output of the builder.
https://fedorahosted.org/freeipa/ticket/112
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.
PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
python-crypto package is not available everywhere, use m2crypto instead.
Originally we thought to extend python-krbV to provide krb5_c_encrypt()
wrapper but m2crypto is readily available.
https://fedorahosted.org/freeipa/ticket/3271
FreeIPA 3.0 is being released to Fedora 18 only. Since we only support
Fedora 17 and Fedora 18 in FreeIPA 3.0+, compatibility code for older
Fedoras can be dropped. This should clean up the spec file and make it
more readable.
Dogtag10 Requires were fixed. Without this patch, there is a conflict
on dogtag-pki-common-theme.
Tar requirement was added to avoid crashes in ipa-replica-prepare on
some minimal Fedora composes.
https://fedorahosted.org/freeipa/ticket/2748https://fedorahosted.org/freeipa/ticket/3237
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.
Few lines to help added to explain the feature to users too.
https://fedorahosted.org/freeipa/ticket/3209
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).
This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
If ipa-server-trust-ad is installed after the ipa server is installed
and configured, httpd needs a restart for additional python modules to
be loaded into httpd on IPA initialization.
Fixes https://fedorahosted.org/freeipa/ticket/3185
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.
Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.
https://fedorahosted.org/freeipa/ticket/3189
Report errors just like with ipa-ldap-updater. These messages should warn
user that some parts of the upgrades may have not been successful and
he should follow up on them. Otherwise, user may not notice them at all.
ipa-upgradeconfig now has a new --quiet option to make it output only error
level log messages or higher. ipa-upgradeconfig run without options still
pring INFO log messages as it can provide a clean overview about its
actions (unlike ipa-ldap-updater).
https://fedorahosted.org/freeipa/ticket/3157
Our code strictly depends on 1.10 as the KDC DAL plugin interface is not
guaranteed stable and indeed is different in 1.9 and will be different
in 1.11
So we cannot allow upgrades to 1.11 until we can provide a plugin that matches
1.11's interface.
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, use alternatives mechanism
to turn off the locator plugin by symlinking it to /dev/null.
https://fedorahosted.org/freeipa/ticket/3102
