- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration
- Introduce 3 kind of password change: normal, admin, and ds manager
- normal require adherence to policies
- admin does not but password is immediately expired
- ds manager can just change the password any way he likes.
Initial code to read the Kerberos Master Key from the Directory
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration
- Introduce 3 kind of password change: normal, admin, and ds manager
- normal require adherence to policies
- admin does not but password is immediately expired
- ds manager can just change the password any way he likes.
Initial code to read the Kerberos Master Key from the Directory
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaCustomFields:
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
This could use some optimization.
to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
This patch fixes a couple of buglets with read_ip_address():
1) It writes host_name to /etc/hosts, but isn't currently
being passed host_name
2) It doesn't return the IP address even though the caller
expects it
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.
This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> >
> > make install LIBDIR=/usr/lib64
> >
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
Here is another patch for the installer. It does a few things:
* use socket.getfqdn() but fallback to gethostname()
* streamlines the hostname prompting
* fixes a bunch of spelling and grammatical errors
* fixes a bug in the hostname reading/verification logic
* allows "yes" and "no" as answers
* modularizes and reuses code where possible
* changes some of the prompts to be more like
the FDS installer - some text is copied (which is easy to use IMO)
* tries to make the prompts fit on smaller screens (<80 chars)
Hope you agree that it is better. :)
Thanks,
Jon
Modify the way we detect SELinux to use selinuxenabled instead of using
a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection
the exception to contain the complete command.
Add a check to make sure installer is running as root.
Add signal handler to detect a user-cancelled installation.
Detect existing DS instances and prompt to remove them.
Install the turbogears web gui including an init script. This
patch includes a few related changes:
* create a production configuration
* rename the web gui startup scrip to ipa-webgui
* add an init script
* chkconfig on the ipa-webgui init script
* make the start script properly daemonize the app when not
in a development directory.
* Install everything to the correct places (/usr/sbin/ipa-webgui
and /usr/share/ipa/ipagui mainly).
There are some things still left to do:
* Sort out the logging - the config needs to be adjusted so
that logging messages end up in /var/log.
* Remove the rpmbuild tree with the dist-clean target.
* Move ipa-server-setupssl from /usr/sbin to /usr/share/ipa
* Check in requirement change for generated freeipa-python.spec
* Fix interactive hostname in ipa-server-install.
The default configuration of the apache selinux policy doesn't allow
apache to connect to the turbogears gui. This sets the correct
boolean to allow that connection.
Add ipa-passwd tool
Add simple field validation package
This patch adds a package requirement, python-krbV. This is needed to
determine the current user based on their kerberos ticket.
Set password for admin user using the Directory Mangaer account
and the mozldapldappaswd binary to get and SSL connection
Fix some timeout problems with deploying keytabs
Fix ipa_pwd_extop to actuallt correctly detect an SSL connection
Do not ask for the user to use for the directory unless 'dirsrv' is
an existing user which may clash, create it silently
or something very close to this one
Add default groups and admin user
TODO: need to discuss more in deep uid/gid generation, this will
probably change as soon as the DNA plugin is activated
Create separate object for Users and Groups (using same base class)
Check for uniqueness before adding new users and groups
Remove user_container from everything but add operations
Abstract out a number of functions that are common across users and groups
Make sure all strings passed in to be in a filter are checked
Add new error message: No modifications specified
Remove all dependencies on mhash
Remove code optimizatrion from Makefiles, right now these are
developers targeted builds, so it is better to have debugging
symbols around
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication
- Update tools to use kerberos
- Add User class