freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
David Kupka	82c3c2b242	Remove unneeded internal methods. Move code to public methods. Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-11 09:18:30 +01:00
Gabe	d95d557ce5	ipa-server-install Directory Manager help incorrect https://fedorahosted.org/freeipa/ticket/4694 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-11 09:16:16 +01:00
Endi S. Dewata	80a8df3f19	Modififed NSSConnection not to shutdown existing database. The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-11 09:09:19 +01:00
Petr Spacek	74e0a8cebc	Fix minimal version of BIND for Fedora 20 and 21 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>	2014-11-07 17:13:45 +01:00
Tomas Babej	b168a7f2d1	specfile: Add BuildRequires for pki-base 10.2.1-0 https://fedorahosted.org/freeipa/ticket/4688 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-07 12:29:33 +01:00
Alexander Bokovoy	0df3119b66	Update slapi-nis dependency to pull 0.54.1 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-11-07 10:28:00 +01:00
Nathaniel McCallum	79df668b5d	Ensure that a password exists after OTP validation Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-06 10:56:19 +01:00
Martin Basti	730f33680b	Fix upgrade: do not use invalid ldap connection Ticket: https://fedorahosted.org/freeipa/ticket/4670 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-06 10:45:16 +01:00
David Kupka	9335552418	Stop dirsrv last in ipactl stop. Other services may depend on directory server. https://fedorahosted.org/freeipa/ticket/4632 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-06 10:43:11 +01:00
Thierry bordaz (tbordaz)	85eb17553f	Deadlock in schema compat plugin (between automember_update_membership task and dse update) Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks. Schema plugin needs to scope the $SUFFIX and also any updates to its configuration. This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees that would be too long for cn=config (tasks, mapping tree, replication, snmp..) https://fedorahosted.org/freeipa/ticket/4635 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-06 09:38:45 +01:00
Jan Cholasta	4589ef133c	Fix various bugs in ipap11helper Fixes a memory leak, a library handle leak and a double free. Also remove some redundant NULL checks before free to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	ade02cdac4	Fix memory leaks in ipa-join Also remove dead code in ipa-join and add initializer to a variable in ipa-getkeytab to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	4e49f39e1a	Fix memory leak in ipa-pwd-extop Also remove dead code and explicitly mark an ignored return value to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	9062dcada4	Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken Fixes a wrong sizeof argument and unchecked return values. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	701dde3cb3	Fix memory leaks in ipa-extdom-extop https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	08ee4a2e6f	Fix possible NULL dereference in ipa-kdb https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Jan Cholasta	2cf0f0a658	Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-11-05 15:26:42 +01:00
David Kupka	364d466fd7	Respect UID and GID soft static allocation. https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-11-05 15:22:51 +01:00
Endi S. Dewata	0b08043c37	Fixed KRA backend. The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-04 16:33:16 +01:00
Martin Basti	e7edac30a1	Fix CI tests: install_adtrust IPA uses both named and named-pkcs11 service. If named is masked use named-pkcs11, instead of raising exception Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-04 16:23:41 +01:00
Gabe	7eca640ffa	Remove trivial path constants from modules https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-04 12:57:01 +01:00
Martin Basti	42724a4b22	Add bind-dyndb-ldap working dir to IPA specfile https://fedorahosted.org/freeipa/ticket/4657#comment:6 Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-31 15:04:53 +01:00
Jan Cholasta	35947c6e10	Do not wait for new CA certificate to appear in LDAP in ipa-certupdate If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-30 10:51:36 +01:00
Jan Cholasta	a649a84a1b	Handle profile changes in dogtag-ipa-ca-renew-agent To update the CA certificate in the Dogtag NSS database, the "ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one. When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request. Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed. https://fedorahosted.org/freeipa/ticket/4627 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-29 15:06:05 +01:00
Petr Spacek	ac500003fd	Fix zone name to directory name conversion in BINDMgr. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-10-29 15:02:08 +01:00
Martin Basti	e971fad5c1	Fix dns zonemgr validation regression https://fedorahosted.org/freeipa/ticket/4663 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-27 15:55:34 +01:00
Alexander Bokovoy	d6b28f29ec	Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-24 15:54:43 +02:00
Jan Cholasta	50e6633734	Do not check if port 8443 is available in step 2 of external CA install The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-22 14:20:27 +02:00
Petr Vobornik	09808c92c0	build: increase java stack size for all arches Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-22 13:55:28 +02:00
Martin Basti	5e1172f560	fix forwarder validation errors Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-21 15:55:09 +02:00
Alexander Bokovoy	20761f7fcd	Default to use TLSv1.0 and TLSv1.1 on the IPA server side We only will be changing the setting on the install. For modifying existing configurations please follow instructions at https://access.redhat.com/solutions/1232413 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-21 15:54:02 +02:00
Martin Basti	3eec7e1f53	fix DNSSEC restore named state Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-21 15:52:47 +02:00
Alexander Bokovoy	eb4d559f3b	updater: enable uid uniqueness plugin for posixAccounts https://fedorahosted.org/freeipa/ticket/4636 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-21 13:46:55 +02:00
Jan Cholasta	2a4ba3d3cc	DNSSEC: remove container_dnssec_keys Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-10-21 12:23:39 +02:00
Martin Basti	10725033c6	DNSSEC: change link to ipa page Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	49547a54dd	DNSSEC: add files to backup Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Petr Spacek	276e69de87	DNSSEC: add ipa dnssec daemons Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	5556b7f50e	DNSSEC: ACI Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	d673ebe4a1	DNSSEC: upgrading Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	21aef21fb5	DNSSEC: uninstallation Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	e798bad646	DNSSEC: installation Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	8f2f5dfbdf	DNSSEC: modify named service to support dnssec Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	ca030a089f	DNSSEC: validate forwarders Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	30bc3a55cf	DNSSEC: platform paths and services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	9101cfa60f	DNSSEC: opendnssec services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	eb54814741	DNSSEC: DNS key synchronization daemon Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	bcce86554f	DNSSEC: add ipapk11helper module Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	9184d9a1bb	DNSSEC: schema Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	c909690c8a	DNSSEC: dependencies Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	78018dd67d	Add mask, unmask methods for service This patch allows mask and unmask services in IPA Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00

1 2 3 4 5 ...

7695 Commits