This reverts commit f7e27b5475.
This test was failing because we were adding a permission as a member
of a role before creating the permission, so no memberof was generated.
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.
The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.
Now updates are computed and applied in blocks of 10.
https://fedorahosted.org/freeipa/ticket/3377
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.
https://fedorahosted.org/freeipa/ticket/3503
When trust is not configured trust-config page is raising an error. Trusts search page won't find anything either -> no use for the pages -> hiding.
https://fedorahosted.org/freeipa/ticket/3333
As find_entry_by_attr no longer adds $SUFFIX to searched base DN,
trustconfig-mod could not find POSIX group to when validating the
new ipantfallbackprimarygroup value. This patch fixes this
regression.
Added flag for each groups type: --posix, --nonposix, --external to group-find command.
Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup
https://fedorahosted.org/freeipa/ticket/3483
Permission details page was incorrectly evaluated as dirty (update button enabled) right after load when permission type={subtree,filter} and some attrs are set.
Can be reproduced by opening 'Modify Automount maps' permission.
The culprit is that attrs widget is populated and dirty-checked even targets where it doesn't belong.
Fixed by running target_mapping action only for visible targets.
https://fedorahosted.org/freeipa/ticket/3527
Find out Kerberos middle version to infer ABI changes in DAL driver.
We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.
https://fedorahosted.org/freeipa/ticket/3537
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
enabled
https://fedorahosted.org/freeipa/ticket/3540
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.
In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
We pass names of files with pkcs12 pins to installers which may continue to
use the files after the initial call to create_instance, at which point
the installer has already removed them.
Also, some of the files were not properly removed on failure.
Use ipautil.write_tmp_file for the pin files, which returns a
NamedTemporaryFile object that removes the underlying file when it is
garbage-collected.
Create the files at start of installation. This will allow checking
the pkcs#12 files before the system is modified.
ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD']
New nesting feature of radios/checkboxes was used to handle mutual exclusivity between
['MS-PAC', 'PAD'], 'NONE' and ''.
https://fedorahosted.org/freeipa/ticket/3404
New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone.
checkbox_widget, checkboxes_widget, radio_widget were modified to use it.
Built as a prerequisite for:
https://fedorahosted.org/freeipa/ticket/3404
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
Certificate parsed out of sslget request to pki-ca was not always
properly formatted and it may still contain DOS line ending. Make
sure that the certificate is printed with correct line ending.
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
cluttering rpm update output
* Remove httpd_conf constant which was not used
https://fedorahosted.org/freeipa/ticket/3502
