freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
Gabe	7eca640ffa	Remove trivial path constants from modules https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-04 12:57:01 +01:00
Martin Basti	5e1172f560	fix forwarder validation errors Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-21 15:55:09 +02:00
Alexander Bokovoy	20761f7fcd	Default to use TLSv1.0 and TLSv1.1 on the IPA server side We only will be changing the setting on the install. For modifying existing configurations please follow instructions at https://access.redhat.com/solutions/1232413 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-21 15:54:02 +02:00
Martin Basti	3eec7e1f53	fix DNSSEC restore named state Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-21 15:52:47 +02:00
Alexander Bokovoy	eb4d559f3b	updater: enable uid uniqueness plugin for posixAccounts https://fedorahosted.org/freeipa/ticket/4636 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-21 13:46:55 +02:00
Martin Basti	49547a54dd	DNSSEC: add files to backup Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	8f2f5dfbdf	DNSSEC: modify named service to support dnssec Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	ca030a089f	DNSSEC: validate forwarders Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	30bc3a55cf	DNSSEC: platform paths and services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	9101cfa60f	DNSSEC: opendnssec services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	eb54814741	DNSSEC: DNS key synchronization daemon Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	9184d9a1bb	DNSSEC: schema Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	78018dd67d	Add mask, unmask methods for service This patch allows mask and unmask services in IPA Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Alexander Bokovoy	bd98ab0356	Support idviews in compat tree Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-10-20 16:47:49 +02:00
Nathaniel McCallum	68825e7ac6	Configure IPA OTP Last Token plugin on upgrade Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-20 10:18:47 +02:00
Petr Vobornik	6f81217c18	dns: fix privileges' memberof during dns install Permissions with member attrs pointing to privileges are created before the privileges. Run memberof plugin task to fix other ends of the relationships. https://fedorahosted.org/freeipa/ticket/4637 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-17 14:08:37 +02:00
Jan Cholasta	608851d3f8	Check LDAP instead of local configuration to see if IPA CA is enabled The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-17 12:53:11 +02:00
David Kupka	c44f4dcbea	Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-10-15 09:12:11 +02:00
Martin Basti	7ad70025eb	Make named.conf template platform independent Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-14 13:55:02 +02:00
Martin Basti	97195eb07c	Add missing attributes to named.conf Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-14 13:55:02 +02:00
Jan Cholasta	4cdeacdedf	Support MS CS as the external CA in ipa-server-install and ipa-ca-install Added a new option --external-ca-type which specifies the type of the external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs" is selected, the CSR generated for the IPA CA will include MS template name extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA". https://fedorahosted.org/freeipa/ticket/4496 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-13 12:18:09 +02:00
David Kupka	35c7bd05af	Check that port 8443 is available when installing PKI. https://fedorahosted.org/freeipa/ticket/4564 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-10 11:57:44 +02:00
Jan Cholasta	92a08266af	Fix certmonger configuration in installer code https://fedorahosted.org/freeipa/ticket/4619 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-10 08:48:25 +02:00
Petr Viktorin	cc085d1d4c	backup/restore: Add files from /etc/ipa/nssdb Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used instead of /etc/pki/nssdb (NSS_DB_DIR). The old location is still supported. https://fedorahosted.org/freeipa/ticket/4597 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-10-02 13:53:55 +02:00
Tomas Babej	00457a9c10	idviews: Fix typo in upgrade handling of the Default Trust View Fixed missing comma. Also removes leading spaces from the ldif, since this is not stripped by the updater. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-30 11:49:53 +02:00
Tomas Babej	2a230b6cc1	idviews: Create Default Trust View for upgraded servers For upgraded servers with enabled AD trust support, we want to ensure that Default Trust View entry is created. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	b9425751b4	idviews: Add Default Trust View as part of adtrustinstall Add a Default Trust View, which is used by SSSD as default mapping for AD users. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	6a798f144f	trusts: Add conversion from SID to object name Since SID is often used as a unique identifier for AD objects, we need to convert a SID to actual object name in the AD. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	16f3786d25	idviews: Add necessary schema for the ID views Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Jan Cholasta	b1fe42df16	Do not crash in CAInstance.__init__ when default argument values are used https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-09-30 10:06:48 +02:00
Jan Cholasta	da24d8a6e7	Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage The search criteria did not include the CA agent name. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	86c534df7d	Move NSSDatabase from ipaserver.certs to ipapython.certdb https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	83cbfa8eae	Do stricter validation of CA certificates Every CA certificate must have non-empty subject and basic constraints extension with the CA flag set. https://fedorahosted.org/freeipa/ticket/4477 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-30 08:50:47 +02:00
Jan Cholasta	3cde7e9cfd	Allow choosing CA-less server certificates by name Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare and --cert-name option to ipa-server-certinstall. The options allows choosing a particular certificate and private key from PKCS#12 files by its friendly name. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-30 08:50:47 +02:00
Jan Cholasta	88083887c9	CA-less installer options usability fixes The --_pkcs12 options of ipa-server-install and ipa-replica-prepare have been replaced by ---cert-file options which accept multiple files. ipa-server-certinstall now accepts multiple files as well. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. The --root-ca-file option of ipa-server-install has been replaced by --ca-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. The --_pin options of ipa-server-install and ipa-replica-prepare have been renamed to ---pin. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-30 08:50:47 +02:00
Jan Cholasta	3aa0731fc6	External CA installer options usability fixes The --external_cert_file and --external_ca_file options of ipa-server-install and ipa-ca-install have been replaced by --external-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. https://fedorahosted.org/freeipa/ticket/4480 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-30 08:50:47 +02:00
Jan Cholasta	60ecba77cd	Add NSSDatabase.import_files method for importing files in various formats The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. https://fedorahosted.org/freeipa/ticket/4480 https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-30 08:50:47 +02:00
Jan Cholasta	f8f3d58688	Allow specifying signing algorithm of the IPA CA cert in ipa-server-install. This is especially useful for external CA install, as the algorithm is also used for the CSR signature. https://fedorahosted.org/freeipa/ticket/4447 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-09-29 13:40:57 +02:00
David Kupka	947c7398ed	Detect and configure all usable IP addresses. Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-09-26 17:54:18 +02:00
Petr Viktorin	f866186239	ipaserver.install.service: Don't show error message on SystemExit(0) Additional fix for: https://fedorahosted.org/freeipa/ticket/4499 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-09-26 16:55:54 +02:00
Martin Basti	66ce71f17a	LDAP disable service This patch allows to disable service in LDAP (ipactl will not start it) Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-26 13:36:04 +02:00
Martin Basti	29ba9d9d26	Refactoring of autobind, object_exists Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-26 13:21:15 +02:00
Petr Viktorin	dea825fd9c	ipa-restore: Set SELinux booleans when restoring https://fedorahosted.org/freeipa/ticket/4157 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>	2014-09-26 12:12:59 +02:00
Petr Viktorin	c7d6fea06f	Move setting SELinux booleans to platform code Create a platform task for setting SELinux booleans. Use an exception for the case when the booleans could not be set (since this is an error if not handled). Since ipaplatform should not depend on ipalib, create a new errors module in ipapython for SetseboolError. Handle uninstallation with the same task, which means the booleans are now restored with a single call to setsebool. Preparation for: https://fedorahosted.org/freeipa/ticket/4157 Fixes: https://fedorahosted.org/freeipa/ticket/2934 Fixes: https://fedorahosted.org/freeipa/ticket/2519 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>	2014-09-26 12:12:59 +02:00
Martin Basti	7e24e241ba	Add correct NS records during installation All ipa-dns capable server is added to root zones as nameserver During uninstall all NS records pointing to particular replica are removed. Part of ticket: https://fedorahosted.org/freeipa/ticket/4149 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-09-25 16:38:02 +02:00
Petr Viktorin	ffe4417c63	ipa-replica-prepare: Wait for the DNS entry to be resolvable It takes some time after the DNS record is added until it propagates to Bind. In automated installations, it might happen that replica-install is attempted before the hostname is resolvable; in that case the connection check would fail. Wait for the name to be resolvable at the end of replica-prepare. Mention that this can be interrupted (Ctrl+C). Provide an option to skip the wait. In case DNS is not managed by IPA, this reminds the admin of the necessary configuration and checks their work, but it's possible to skip (either by interrupting it interactively, or by the option). https://fedorahosted.org/freeipa/ticket/4551 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-09-25 15:31:08 +02:00
Petr Viktorin	9a188607fc	upgradeinstance: Restore listeners on failure Allow running some installation after failure, and use this for the upgradeinstance cleanup steps. https://fedorahosted.org/freeipa/ticket/4499 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-09-25 13:23:51 +02:00
Martin Basti	c81acfff43	FIX: ldap schmema updater needs correct ordering of the updates Required bugfix in python-ldap 2.4.15 Updates must respect SUP objectclasses/attributes and update dependencies first Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-25 12:57:01 +02:00
Jan Cholasta	f680a63158	Fix certmonger code causing the ca_renewal_master update plugin to fail https://fedorahosted.org/freeipa/ticket/4547 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-09-23 16:25:15 +02:00
Petr Viktorin	abba25c826	ipa_backup: Log where the backup is be stored This makes managing multiple backups & logs easier. Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-09-23 12:29:37 +02:00

1 2 3 4 5 ...

1148 Commits