We verify user and group default objectclasses when changing them
to be sure that required objectclasses aren't being dropped. We need
to ignore virtual attributes or it will raise an error because they
aren't defined in schema.
https://fedorahosted.org/freeipa/ticket/2406
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.
As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.
This patch adds an API for this control.
https://fedorahosted.org/freeipa/ticket/2176
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.
https://fedorahosted.org/freeipa/ticket/2108
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
Deleting these would cause the IPA master to blow up.
For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.
https://fedorahosted.org/freeipa/ticket/2425
We had this in v1 but removed it with v2 because we no longer used
TurboGears for the UI. Because we are now proxying requests to dogtag
we need to re-add this so that mod_ssl doesn't interfere with our
communication.
mod_ssl always blindly registers itself as the SSL provider for mod_proxy.
mod_nss will only register itself if mod_ssl hasn't already done so.
https://fedorahosted.org/freeipa/ticket/2177
This is needed on F-17+, otherwise things blow up when we try to see
if we've added new schema.
Introspection is required to see if the argument check_uniqueness is
available.
https://fedorahosted.org/freeipa/ticket/2383
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.
https://fedorahosted.org/freeipa/ticket/2391
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.
The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.
A minor fix restores errors.py's ability print out the list of
errors when run as a script.
This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add
ability in test framework to compare two values in result)
in a general way: adding an optional extra_check key to the test
dict, so a custom checking function with access to the whole result
can be called.
The particular test mentioned in that issue, checking that the
uidnumber and gidnumber for new isers are the same, is added.
Also, this adds a docstring to the Declarative class.
And finally, the test dictionary is passed to check() via keyword
arguments, preventing spelling mistakes in keys from going unnoticed.
https://fedorahosted.org/freeipa/ticket/2238
It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.
This is for new installs only.
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.
https://fedorahosted.org/freeipa/ticket/2147
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
This is for the LDAP updater in particular. When adding new schema
order can be important when one objectclass depends on another via
SUP.
This calculation will preserve the order of changes in the update file.
Discovered trying to add SSH schema.
https://fedorahosted.org/freeipa/ticket/754
Add method for getting configuration directory path of a service,
so that a different SSH configuration directory can be specified on
different platforms.
https://fedorahosted.org/freeipa/ticket/754
