This file is copied to older servers that might not have the ipaplatform
refactoring.
Import from the old location if the new one is not available.
https://fedorahosted.org/freeipa/ticket/4763
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Interactive prompt callback returns list of str instead of CheckedIPAddress
instances.
Ticket: https://fedorahosted.org/freeipa/ticket/4747
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Instead of manually encoding controls, use an actual asn1 compiler.
The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code
is committed to the tree and built into a static library that is linked
to the code that uses it.
The first module implements the GetKeytabControl control.
Related:
https://fedorahosted.org/freeipa/ticket/4718https://fedorahosted.org/freeipa/ticket/4728
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
https://fedorahosted.org/freeipa/ticket/4726
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Because of dnspython implementation, in some cases UnicodeError is
raised instead of DNS SyntaxError
Ticket: https://fedorahosted.org/freeipa/ticket/4734
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.
fixes CVE-2014-7850
https://fedorahosted.org/freeipa/ticket/4742
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This is just workaround, checking if CA is working raises false positive
exception during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Current Dogtag 10.2 and it's requirements are not properly packaged for
CentOS, yet. To enable FreeIPA running on CentOS 7.0, lower the
Requires on Fedora 20 and CentOS platform on Dogtag 10.1.2 which
has the patches required by FreeIPA backported and which has all
dependencies avaiable.
https://fedorahosted.org/freeipa/ticket/4737
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This way make rpms will always generate new packages that can be installed on
top fo older ones, regardless of alphabetic ordering of the GIT commit id.
Also make sure version and date variables are immditely resolved, so they can't
change during the build.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The man pages for various FreeIPA setup tools are more descriptive on how to
configure multiple DNS forwarders than the corresponding cli help. This patch
makes the cli help more verbose now for the following tools:
* ipa-dns-install
* ipa-replica-install
* ipa-server-install
https://fedorahosted.org/freeipa/ticket/4465
Reviewed-By: Martin Basti <mbasti@redhat.com>
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.
https://fedorahosted.org/freeipa/ticket/4658
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
The wrong search scope was being used when trying to determine if
a given master had a CA installed when trying to create a new
connection.
https://fedorahosted.org/freeipa/ticket/4704
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
https://fedorahosted.org/freeipa/ticket/4709
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
